How do I get the environment variables, for example $env:user$ into my alert action script? I've tried adding a parameter to my alert_actions.conf (param.envuser=$env:user$) but that just shows up as the literal $env:user$ in my script, not the logged in user. Any ideas?
Any tips or hints appreciated.
Thanks,
Jon
I'll post this as an official answer after having done some more testing. It does seem to work well.
In my alert_actions.conf, I put the following command(used a generic alert action name):
command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$
I'll post this as an official answer after having done some more testing. It does seem to work well.
In my alert_actions.conf, I put the following command(used a generic alert action name):
command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$
Well, after some experimentation and staring at the rest command page as well as the sendalert page, I think I have a solution:
In my alert_actions.conf, I put the following command(used a generic alert action name):
command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$
It basically joins a rest call of the local context user to the search alert as auth_user_id, then pipes to sendalert, adding the auth_user_id to a param. Seems to work so far....
By user do you mean the owner of the alert?
Do you mean $owner$ as documented in http://docs.splunk.com/Documentation/Splunk/7.0.0/Alert/EmailNotificationTokens
No, not the owner of the alert. For example, if a user is looking at an alert in Incident Review in ES and uses the 'Run Adaptive Response' to run my script on an alert, I want the script to capture that logged in user(I believe this is the $env:user$) that ran the script, not necessarily the owner of the alert.