Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- How to create a custom alert action Python script ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I tried to create a custom alert action that operates a script, but I didn't understand how to send parameters from the search results to the script.
For example: a script that checks Windows version for every IP address in the search results. How do I send the results to my script? What do I have to put in alert_actions.conf and in my script?
Please try to explain instead of just sending links to Splunk Docs, I read these and still didn't find my answer.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..
from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
sys.exit(1)
else:
#settings = json.loads(sys.stdin.read())
result = sys.stdin.read()
settings = json.loads(result)
file = open("testResult.txt", "w")
file.write(result)
file.close()
print("here we go", settings)
sys.exit(0)
resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource
{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..
from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
sys.exit(1)
else:
#settings = json.loads(sys.stdin.read())
result = sys.stdin.read()
settings = json.loads(result)
file = open("testResult.txt", "w")
file.write(result)
file.close()
print("here we go", settings)
sys.exit(0)
resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource
{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I saw that you send 10 events to alert action but you just get one event in result. Is there any way that we can capture all 10 events?
.conf25 Global Broadcast: Don’t Miss a Moment
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
