The custom alert is build with the "Splunk Add-On Builder". The alert is calling a custom command which is sending a message to the central event management. I want to use the $result.host$ token in order to create alerts for every host in the result.
savedsearches.conf
[send2cemtest]
action.send2cem = 1
action.send2cem.param.client = testclient
action.send2cem.param.msg = testmsg
action.send2cem.param.sender = $result.host$
action.send2cem.param.workid = testworkid
alert.digest_mode = 0
alert.expires = 24m
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = */1 * * * *
enableSched = 1
quantity = 0
relation = greater than
search = index=_internal | head 2
alert_actions.conf
[send2cem]
description = Splunk CEM koppeling
label = CEM koppeling
payload_format = json
is_custom = 1
icon_path = alert_send2cem.png
param.workid =
param.sender =
param.client =
param.msg =
param.severity = warning
command = send2cem $action.send2cem.param.severity$ $action.send2cem.param.client$ $action.send2cem.param.sender$ $action.send2cem.param.workid$ $action.send2cem.param.msg$
html
<form class="form-horizontal form-complex">
<div class="control-group">
<label class="control-label">Severity</label>
<div class="controls">
<label class="radio" for="send2cem_severity_warning">
<input type="radio" name="action.send2cem.param.severity" id="send2cem_severity_warning" value="warning"/>
Warning
</label>
<label class="radio" for="send2cem_severity_critical">
<input type="radio" name="action.send2cem.param.severity" id="send2cem_severity_critical" value="critical!"/>
Critical
</label>
</div>
</div>
<div class="control-group">
<label class="control-label" for="send2cem_client">Client <span class="required">*</span> </label>
<div class="controls">
<input type="text" pattern="[a-zA-Z0-9]{3,15}" placeholder="3-15 karakters" name="action.send2cem.param.client" id="send2cem_client"/>
<span class="help-block">
Alfanumeriek
</span>
</div>
</div>
<div class="control-group">
<label class="control-label" for="send2cem_sender">Sender/host <span class="required">*</span> </label>
<div class="controls">
<input type="text" pattern=".{5,25}" placeholder="5-25 karakters" name="action.send2cem.param.sender" id="send2cem_sender"/>
</div>
</div>
<div class="control-group">
<label class="control-label" for="send2cem_workid">Work Instruction ID <span class="required">*</span> </label>
<div class="controls">
<input type="text" pattern="[a-zA-Z0-9]{3,15}" placeholder="3-25 karakters" name="action.send2cem.param.workid" id="send2cem_workid"/>
<span class="help-block">
Alfanumeriek
</span>
</div>
</div>
<div class="control-group">
<label class="control-label" for="send2cem_msg">Message <span class="required">*</span> </label>
<div class="controls">
<textarea rows="8" pattern=".{3,100}" placeholder="3-100 karakters" name="action.send2cem.param.msg" id="send2cem_msg"/>
</textarea>
</div>
</div>
</form>
Does anyone has some suggestions, I tried several things which found on answers but nothing worked and I'm pretty stuck at the moment.
I believe you need to have the host field called out in your search. The search you have under send2cemtest is just this:
index=_internal | head 2
I believe you need to make it so host is a field that is visible in the results. Can you try this search instead?
index=_internal | head 2 | stats count by host
See if that will return results for you.