Splunk Search

Get environment variables in alert action script?

Explorer

How do I get the environment variables, for example $env:user$ into my alert action script? I've tried adding a parameter to my alert_actions.conf (param.envuser=$env:user$) but that just shows up as the literal $env:user$ in my script, not the logged in user. Any ideas?

Any tips or hints appreciated.

Thanks,

Jon

0 Karma
1 Solution

Explorer

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

View solution in original post

Explorer

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

View solution in original post

Explorer

Well, after some experimentation and staring at the rest command page as well as the sendalert page, I think I have a solution:

In my alert_actions.conf, I put the following command(used a generic alert action name):

command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

It basically joins a rest call of the local context user to the search alert as auth_user_id, then pipes to sendalert, adding the auth_user_id to a param. Seems to work so far....

0 Karma

SplunkTrust
SplunkTrust

By user do you mean the owner of the alert?

Do you mean $owner$ as documented in http://docs.splunk.com/Documentation/Splunk/7.0.0/Alert/EmailNotificationTokens

0 Karma

Explorer

No, not the owner of the alert. For example, if a user is looking at an alert in Incident Review in ES and uses the 'Run Adaptive Response' to run my script on an alert, I want the script to capture that logged in user(I believe this is the $env:user$) that ran the script, not necessarily the owner of the alert.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!