I know it's just my lack of knowledge with Splunk causing me some grief here but...
I want to pass search results to an external python script.
Here is my search:
sourcetype="*WinEventLog:Security" (EventCode=528 OR EventCode=4624) AND Logon_Type=10 | eval event_date = strftime(_time, "%D %T %P") | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) | script python alogin User Source_Network_Address host
My python script merely sends me an email with what I thought would be the field values I passed (User, Source_Network_Address and host).
But I'm actually getting the words "User", "Source_Network_Address" and "Host" in the email.
Of course I tested the script and if I run the script - "python alogin.py nicholas 10.0.10.99 SERVER" it works and I'm sent an email with the three values passed as expected.
What am I missing here?
Thanks in advance.