Hi redacted,
Do you need to write on the local disk fields your EmailNotificationTokens or the search result?
If you need to write on the local disk, you could insert all the information you need in your search and then use the outputcsv command, the only problem is that Splunk writes csv only in a fixed folder $SPLUNK_HOME/var/run/splunk/csv .
If outputcsv could solve you need you can customize your output using something like this:
...| outputcsv append=true create_empty=true [search * | head 1 | eval query="monitor_splunk_".strftime(now(),"%Y_%m_%d") | fields query | format "" "" "" "" "" ""] singlefile=1
.
If otherwise, you need to write on a file information about the triggered alerts, you could use something like this:
index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" result_count>0 | table _time thread_id app savedsearch_name result_count | join savedsearch_name [| rest /services/saved/searches | dedup search | table author eai:acl.app title alert.severity is_scheduled id qualifiedSearch dispatch.earliest_time | rename dispatch.earliest_time AS timerange title AS savedsearch_name eai:acl.app AS app| fields author app savedsearch_name alert.severity timerange] | lookup alert_severity.csv severity AS alert.severity OUTPUT Severity | lookup alert_frequency.csv frequency AS timerange OUTPUT Frequency | eval wpname=mvindex(split(savedsearch_name," "), 0) | stats values(author) AS Author values(app) AS App values(Severity) AS Severity values(Frequency) AS Frequency sparkline count AS Alarms sum(result_count) AS Events by savedsearch_name | sort -Events severity | rename savedsearch_name AS "Name" sparkline AS Sparkline Frequency As "Report Frequency" | fieldformat Events=tostring(Events,"commas")
Bye.
Giuseppe
... View more