A couple of folks already linked to the wiki page but Splunk sets system variables for several search variables starting with '1'. My colleague and I built something similar a while back with a bash script. One of the variables, I can't recall which one, was not being populated consistently, (we're running Splunk 4.3.1), so in the end I decided just to use the SPLUNK_SEARCH_NAME variable and parse it to gather the slots I need to populate in Service Desk. Then I just name each saved search in the format 'APPLOG~CRITICALITY~ENVIRONMENT~MESSAGE' and then I can parse that out into the fields needed by SD. You could of course use map the other available variables too. Obviously you'd need to understand your ticketing system's API or commandline.
/bin/ksh -x
Set default splunk parameters to variables
SPLUNK_EVENT_COUNT=$1
SPLUNK_SEARCH_TERMS=$2
SPLUNK_QUERY_STRING=$3
SPLUNK_SEARCH_NAME=$4
SPLUNK_ALERT_TRIGGER=$5
SPLUNK_SEARCH_URL=$6
SPLUNK_SEARCH_RESULTS=$8
... View more