Hi, I tried to create a custom alert action that operates a script, but I didn't understand how to send parameters from the search results to the script.
For example: a script that checks Windows version for every IP address in the search results. How do I send the results to my script? What do I have to put in alert_actions.conf and in my script?
Please try to explain instead of just sending links to Splunk Docs, I read these and still didn't find my answer.
Thanks
Hi,
The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..
from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
sys.exit(1)
else:
#settings = json.loads(sys.stdin.read())
result = sys.stdin.read()
settings = json.loads(result)
file = open("testResult.txt", "w")
file.write(result)
file.close()
print("here we go", settings)
sys.exit(0)
resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource
{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}
Hi,
The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..
from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
sys.exit(1)
else:
#settings = json.loads(sys.stdin.read())
result = sys.stdin.read()
settings = json.loads(result)
file = open("testResult.txt", "w")
file.write(result)
file.close()
print("here we go", settings)
sys.exit(0)
resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource
{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}
Hi,
I saw that you send 10 events to alert action but you just get one event in result. Is there any way that we can capture all 10 events?