- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Why am I unable to send field value from search to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an alert that triggers when a fail percentage from a scheduled search runs. If I reference the field using $result.Percent$ where Percent is the field with the value I want to include, I can reference this token in the email subject action just fine. However when I try and use it in our custom action by referencing it as below I can't seem to get it to work.
sendalert $action_name$ results_Percent="$result.Percent$" results_file="$result.file$" results_link="$results.link$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to figure this out. For some reason declaring those variables in a settings file and referencing that instead of directly from the search worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to figure this out. For some reason declaring those variables in a settings file and referencing that instead of directly from the search worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please post the stanza for that alert action (whatever value will be in the field action_name) from your alert_actions.conf or saved_searches.conf file.
That action will need fields results_Percent, results_file and results_link defined in order to make use of them.
http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/ModAlertsLog
http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Sendalert
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
these are all defined in the alert. here is the stanza. For whatever reason, the results_file="$results.file$" results_link="$results.link$" portions work fine, but the results_Percent="$result.Percent$" part never gets a value even though the email action easily pics this value up.
[TEST AWS SPLUNK EMF ALERT PROD]
action.email = 1
action.email.include.results_link = 0
action.email.include.trigger = 1
action.email.include.trigger_time = 1
action.email.include.view_link = 0
action.email.inline = 1
action.email.message.alert = The alert condition for '$name$' was triggered at $result.Percent$ %.
action.email.priority = 5
action.email.sendresults = 1
action.email.to = aa@aa.com
action.email.useNSSubject = 1
action.emf = 1
action.emf.command = sendalert $action_name$ results_file="$results.file$" results_link="$results.link$" results_Percent="$result.Percent$"
action.emf.param.auth_token_override = xxx
action.emf.param.severity = 2
alert.severity = 5
alert.suppress = 1
alert.suppress.period = 5m
alert.track = 1
alert_condition = search Percent> .5
auto_summarize.dispatch.earliest_time = -1d@h
counttype = custom
cron_schedule = * * * * *
dispatch.earliest_time = -15m@m
dispatch.latest_time = -m@m
enableSched = 1
request.ui_dispatch_app = app
request.ui_dispatch_view = search
schedule_window = 3
search = *base search*|timechart partial=f span=5m avg(pct) as Percent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you seen this? http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomAlertScript
Can you give more background on what sendalert does?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
basically, we are just creating a json payload and parsing it in the simple script below, the other info comes in fine, but the extradetails where I am testing this, always comes back empty
def post_event(payload):
settings = payload.get('configuration')
api_endpoint = settings.get('api_endpoint').rstrip('/')
auth_token = settings.get('auth_token_override')
if not auth_token:
auth_token = settings.get('auth_token')
#FIXME: ideally, this should not be the splunk_server that triggers the alert,
# but the host where the data are generated from.
host = payload.get('server_host')
severity = settings.get('severity')
search_name = payload.get('search_name')
result_link = payload.get('results_link')
result_file = payload.get('results_file'),
results_Percent = payload.get('results_Percent')
data = {
'source': 'Splunk',
'host': host,
'eventtype': search_name,
'severity': severity,
'summary': search_name,
'extradetails': results_Percent,
'searchpath': result_file
}
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
