Splunk Search

Get environment variables in alert action script?

jef152
Explorer

How do I get the environment variables, for example $env:user$ into my alert action script? I've tried adding a parameter to my alert_actions.conf (param.envuser=$env:user$) but that just shows up as the literal $env:user$ in my script, not the logged in user. Any ideas?

Any tips or hints appreciated.

Thanks,

Jon

0 Karma
1 Solution

jef152
Explorer

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

View solution in original post

jef152
Explorer

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

jef152
Explorer

Well, after some experimentation and staring at the rest command page as well as the sendalert page, I think I have a solution:

In my alert_actions.conf, I put the following command(used a generic alert action name):

command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

It basically joins a rest call of the local context user to the search alert as auth_user_id, then pipes to sendalert, adding the auth_user_id to a param. Seems to work so far....

0 Karma

burwell
SplunkTrust
SplunkTrust

By user do you mean the owner of the alert?

Do you mean $owner$ as documented in http://docs.splunk.com/Documentation/Splunk/7.0.0/Alert/EmailNotificationTokens

0 Karma

jef152
Explorer

No, not the owner of the alert. For example, if a user is looking at an alert in Incident Review in ES and uses the 'Run Adaptive Response' to run my script on an alert, I want the script to capture that logged in user(I believe this is the $env:user$) that ran the script, not necessarily the owner of the alert.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...