Alerting

Scripted alerts - how to access the search results from within the script?

arkadyz1
Builder

I'm trying to set up a scripted alert which would transform the search results and output them into a file. I tried doing so but there was no output file. I then replaced my script with echo.bat, taken from http://wiki.splunk.com/Community:TroubleshootingAlertScripts - only to find out that the 8-th parameter (the name of the file containing the search results) is not passed! I did find in the documentation that results.file is now deprecated, though :(.

What could be another way of achieving what I need? I want the search results transformed into JSON (which Python should be able to do easily) and saved into a certain log file. I did see that one can call the script once per event, but that would be wasteful (we are talking about 20K events here), and I don't really know how the event itself is passed into such per-event script, if at all.

0 Karma
1 Solution

arkadyz1
Builder

I guess I'll go in a different direction: I'll create an application with a command (new search command, much like pingstatus_command), will pipe the search output into it and iterate through the results received from splunk.Intersplunk.getOrganizedResults(), transforming them and adding to my output file(s). At least there I know for sure that it works. I'll experiment some and will update this post.

View solution in original post

arkadyz1
Builder

I guess I'll go in a different direction: I'll create an application with a command (new search command, much like pingstatus_command), will pipe the search output into it and iterate through the results received from splunk.Intersplunk.getOrganizedResults(), transforming them and adding to my output file(s). At least there I know for sure that it works. I'll experiment some and will update this post.

arkadyz1
Builder

I ended up doing just that: created and application with a command referencing a Python script reading the events (used splunk.Intersplunk.getOrganizedResults for that) and generating the desired output files. Here's hoping others will find it useful :).

0 Karma

woodcock
Esteemed Legend

I used this in v6.0.* and it still worked but if I am remembering correctly, the filename given to me was not named *.gz or *.zip or anything like that even though it WAS gzipped. Is ARGV[7] actually null or is a value present? If it is present, is there a file there? If there is a file there, try to gunzip it.

0 Karma

arkadyz1
Builder

It's actually ARGV[8] - ARGV[0] is the script name, so the parameters are counted from one :). And yes, it's not present - I've shown my test script and its output in one of the comments above.

0 Karma

stephanefotso
Motivator

I don't know if i understand well your problem, but if it is what i think: set up a scripted alert which would transform the search results and output them into a file, i'm not sure it is yet possible. The manual is cleart on it:

You can enable the following alert actions:

1. Send email notification.
The email notification can include information related to the alert(search results).
2. Run scripts.
3. Enable RSS notification for the alert.
4. Enable summary indexing for alerts.
2. Track the alert in Splunk Enterprise Settings.

Note: Run scripts does not means, write search results into a file. It just means configure an alert to run a shell script or batch file when the alert triggers. So, you can configure an alert action to run a script that writes to a certain file you have defined, not the alert to write search results into a file.
Thanks

SGF
0 Karma

arkadyz1
Builder

Yes, I understand all of that. It's just that the documentation is self-contradictory: in one place, they say "8th parameter is the name of the file with the raw search results", in another, pronounce $results.file deprecated. Strangely enough, Splunk's own alert_actions.conf still refers to that deprecated field.

0 Karma

stephanefotso
Motivator

NO. the document is not self-contradictory: I think i'm the one making error. what you have to do is to:

  1. create your script: let say myscript
  2. place it in $SPLUNK_HOME/bin/scripts.
  3. Add the following in myscript: Raw Results: $8

Thanks.

SGF
0 Karma

arkadyz1
Builder

That's what I tried: echo %0 %1 ... %8 in Windows. %8 is empty.

My "self-contradictory" remark was not exactly true: the problem is that the default alert_actions.conf file still utilizes the deprecated $results.file in 8-th position. The part which says that the 8-th parameter contains that file name does not state where it's taken from. So the reality (alert_actions.conf) does not match the documentation.

0 Karma

woodcock
Esteemed Legend

According to the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Alert/Setupalertactions

It says search results are supported HOWEVER only from a scheduled search or an alert. So convert whatever you are doing to one of those and it should work fine (8th field); it works for me with an Alert.

0 Karma

arkadyz1
Builder

But that's exactly what I'm doing - an alert with a script to run. Unfortunately, my 8th parameter is not set. I'm using 6.2.2. The (gzipped?) CSV file name is not passed down to my script.

Any other suggestions?

0 Karma

arkadyz1
Builder

Update - I've just done the same from a report (scheduled search). The 8-th parameter is empty.

Here is the script (under Windows) that I'm using:
echo.bat

@echo off
echo %0, %1, %2, %3, %4, %5, %6, %7, %8 >> "c:\temp\test_output.txt" 
date /T >> "c:\temp\test_output.txt"
time /t >> "c:\temp\test_output.txt"
echo ---------------------------------------- >> "c:\temp\test_output.txt"

And here is the result:

"C:\Program Files\Splunk\bin\scripts\echo.bat", 288, "index^=enterprise sourcetype^=SienaQueriesLog", "index^=enterprise sourcetype^=SienaQueriesLog", "Test scripted report", "Saved Search \[Test scripted report\] always^(288^)", http://SrSWEng:8000/app/search/@go?sid, scheduler__admin__search__RMD580400730183daf54_at_1432901700_6826, ""  
Fri 05/29/2015 
08:15 AM
---------------------------------------- 
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...