Hi~All
Does Splunk support only and just 8 argument to pass to alert script? Can I customize these arguments which is generated from search result and pass it to alert script? By the way, does script alert support javascript?
$0 = Script name
$1 = Number of events returned
$2 = Search terms
$3 = Fully qualified query string
$4 = Name of saved search
$5 = Trigger reason (i.e. "The number of events was greater than 1")
$6 = Browser URL to view the saved search
$7 = This option has been deprecated and is no longer used
$8 = File where the results for this search are stored (contains raw results)
thanks in advance!!
I hit upon the same issue and ended up using the powershell app to orchestrate the searches. This way I can pass unlimited arguments in via the REST API and handle the results in the PS script
Hi,
I was looking for the answer to the same question as yours, but I ended up with the use of $8, which is the path to the compressed search result as results.csv.gz in splunk's var/run/splunk/dispatch directory.
Modifying the JS would also work, but I am afraid the modification you make probably will be overwritten when you upgrade the splunk software.
Better check with Splunk support.
It looks like there may be a way to do it but you'll have to make some modifications to config files and scripts. I would recommend backing up any files first of course so you can roll back.
http://splunk-base.splunk.com/answers/32385/alert-script-and-severity
I am also looking for the same .. Any idea ?