- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get environment variables in alert action script?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I get the environment variables, for example $env:user$ into my alert action script? I've tried adding a parameter to my alert_actions.conf (param.envuser=$env:user$) but that just shows up as the literal $env:user$ in my script, not the logged in user. Any ideas?
Any tips or hints appreciated.
Thanks,
Jon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll post this as an official answer after having done some more testing. It does seem to work well.
In my alert_actions.conf, I put the following command(used a generic alert action name):
command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll post this as an official answer after having done some more testing. It does seem to work well.
In my alert_actions.conf, I put the following command(used a generic alert action name):
command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, after some experimentation and staring at the rest command page as well as the sendalert page, I think I have a solution:
In my alert_actions.conf, I put the following command(used a generic alert action name):
command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$
It basically joins a rest call of the local context user to the search alert as auth_user_id, then pipes to sendalert, adding the auth_user_id to a param. Seems to work so far....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By user do you mean the owner of the alert?
Do you mean $owner$ as documented in http://docs.splunk.com/Documentation/Splunk/7.0.0/Alert/EmailNotificationTokens
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, not the owner of the alert. For example, if a user is looking at an alert in Incident Review in ES and uses the 'Run Adaptive Response' to run my script on an alert, I want the script to capture that logged in user(I believe this is the $env:user$) that ran the script, not necessarily the owner of the alert.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
