Splunk Search

Get environment variables in alert action script?

jef152
Explorer

How do I get the environment variables, for example $env:user$ into my alert action script? I've tried adding a parameter to my alert_actions.conf (param.envuser=$env:user$) but that just shows up as the literal $env:user$ in my script, not the logged in user. Any ideas?

Any tips or hints appreciated.

Thanks,

Jon

0 Karma
1 Solution

jef152
Explorer

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

View solution in original post

jef152
Explorer

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

jef152
Explorer

Well, after some experimentation and staring at the rest command page as well as the sendalert page, I think I have a solution:

In my alert_actions.conf, I put the following command(used a generic alert action name):

command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

It basically joins a rest call of the local context user to the search alert as auth_user_id, then pipes to sendalert, adding the auth_user_id to a param. Seems to work so far....

0 Karma

burwell
SplunkTrust
SplunkTrust

By user do you mean the owner of the alert?

Do you mean $owner$ as documented in http://docs.splunk.com/Documentation/Splunk/7.0.0/Alert/EmailNotificationTokens

0 Karma

jef152
Explorer

No, not the owner of the alert. For example, if a user is looking at an alert in Incident Review in ES and uses the 'Run Adaptive Response' to run my script on an alert, I want the script to capture that logged in user(I believe this is the $env:user$) that ran the script, not necessarily the owner of the alert.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...