Developing for Splunk Platform

How to create a custom alert action Python script with parameters from search results?

agentsofshield
Path Finder

Hi, I tried to create a custom alert action that operates a script, but I didn't understand how to send parameters from the search results to the script.

For example: a script that checks Windows version for every IP address in the search results. How do I send the results to my script? What do I have to put in alert_actions.conf and in my script?

Please try to explain instead of just sending links to Splunk Docs, I read these and still didn't find my answer.

Thanks

Labels (1)
0 Karma
1 Solution

schose
Builder

Hi,

The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..

from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse

if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
        sys.exit(1)
    else:
        #settings = json.loads(sys.stdin.read())
        result = sys.stdin.read()
        settings = json.loads(result)

        file = open("testResult.txt", "w")
        file.write(result)
        file.close()

        print("here we go", settings)
        sys.exit(0)

resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource

{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}

View solution in original post

schose
Builder

Hi,

The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..

from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse

if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
        sys.exit(1)
    else:
        #settings = json.loads(sys.stdin.read())
        result = sys.stdin.read()
        settings = json.loads(result)

        file = open("testResult.txt", "w")
        file.write(result)
        file.close()

        print("here we go", settings)
        sys.exit(0)

resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource

{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkd_ui_access","testsource":"/Users/andreas/splunk/var/log/splunk/splunkd_ui_access.log"}}

Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...