Well, after some experimentation and staring at the rest command page as well as the sendalert page, I think I have a solution:
In my alert_actions.conf, I put the following command(used a generic alert action name):
command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$
It basically joins a rest call of the local context user to the search alert as auth_user_id, then pipes to sendalert, adding the auth_user_id to a param. Seems to work so far....
... View more