- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to run an alert script on field values generated in Splunk?
aniketb
Path Finder
08-07-2014
10:29 AM
Hi,
I have an alert that calls a script when invoked.
The result have the 1st column as ip address [host]. I want the script to run on all IP addresses in the result.
Because host is a field generated by default in Splunk. What's the best way to call a script?
Is something like :
myscript $Host
or whatever that argument is for ip address is, possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lowell
Super Champion
08-07-2014
01:04 PM
So you can't directly call your script with an argument the way you described above, but you can get pretty close with a simple wrapper script.
Here is something you could get started with:
run_my_script_per_host.py:
import gzip
import csv
from subprocess import call
def openany(p):
if p.endswith(".gz"):
return gzip.open(p)
else:
return open(p)
results_file = sys.argv[8] # file with search results
for row in csv.DictReader(openany(results_file)):
# Build a command line to call based on fields from splunk output
my_command = [ "myscript", row["host"], ]
call(my_command)
This script will execute myscript <HOST> for every result returned by your search.
