Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Include an environmental variable in search results or as part of an alert email subject

taldavita
Explorer
‎06-06-2017 04:10 PM

Splunk version 6.5.3

Building a series of alerts in a Development system that include sending an email.

Part of the subject line needs to include the current environment, such as Dev, Test, Prod. My goal is use a variable for the environment value so the code can move between Dev, Test and Prod without modification.

On the search-head in etc/splunk-launch.conf I included:

DVA_ENV=Dev

(restarted the search-head)

splunk envvars shows the environment settings.

However I've not found the syntax to either include environment variable in the search results and or use in an alert email subject.
Is it possible to access the an environment variable? If so, what's the syntax?

Is there a better way to approach this problem?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-06-2017 08:34 PM

I typically do this by creating a macro; make one called DVA_ENV that does something like this:

| eval DVA_ENV=[|rest/services/authentication/users splunk_server=local | dedup splunk_server | table splunk_server | lookup splunk_server AS server server_to_env_lookup OUTPUT environment AS DVA_ENV | return $DVA_ENV]

The same macro and lookup file/definition can be deployed to all search heads but a different value will be set depending on which search head runs it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-06-2017 08:34 PM

I typically do this by creating a macro; make one called DVA_ENV that does something like this:

| eval DVA_ENV=[|rest/services/authentication/users splunk_server=local | dedup splunk_server | table splunk_server | lookup splunk_server AS server server_to_env_lookup OUTPUT environment AS DVA_ENV | return $DVA_ENV]

The same macro and lookup file/definition can be deployed to all search heads but a different value will be set depending on which search head runs it.

0 Karma
Reply
Solved! Jump to solution

taldavita
Explorer
‎06-08-2017 12:56 PM

Good suggestion!

The below statement works when I execute just:

|rest/services/authentication/users splunk_server=local | dedup splunk_server | table splunk_server | lookup splunk_server_info server as splunk_server OUTPUT deployment_environment AS DVA_ENV

the lookup works as expected.

Created a macro called get_deploy_env using

eval DVA_ENV=[ |rest/services/authentication/users splunk_server=local | dedup splunk_server | table splunk_server | lookup splunk_server_info server as splunk_server OUTPUT deployment_environment AS DVA_ENV | return $DVA_ENV]

However when the macro is included in a search the value for DVA_ENV is not returned:

index=myidx | `get_deploy_env splunk_server` | table host splunk_server DVA_ENV
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-08-2017 04:17 PM

Try putting double-quotes around the subsearch. If that doesn't work, then you will have to look at the search log from the job inspector to see what the post-macro search looks like and debug that.

0 Karma
Reply
Solved! Jump to solution

taldavita
Explorer
‎06-12-2017 07:33 AM 
eval DVA_ENV=[ |rest/services/authentication/users splunk_server=local | dedup splunk_server | table splunk_server | lookup splunk_server_info server as splunk_server OUTPUT deployment_environment | **eval DVA_ENV="\"".deployment_environment."\""** | return $DVA_ENV ]

Found how to make it work.

Thanks!

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎06-06-2017 08:00 PM

not sure, but, maybe give this a try..
why using environment variables? maybe, simply on the alert description, you can specify the environment type (dev, prod) and utilize it thru email tokens.

Token                     Description
$description$            Description of the search.

http://docs.splunk.com/Documentation/Splunk/6.1.2/Alert/Setupalertactions#Email_notification

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...