Splunk Search

How to show the alert results in a perl script

theouhuios
Motivator

Hello

I have an alert scheduled to run every 5 mins with custom conditions. What I need to do is to use these search results in a perl script. Can anyone please tell me how do I output these in a perl script? Are the emails when custom condition is met which are generated being store somewhere on splunk server? I need to use that data and extract some fields from it to call our internal mailing server to generate customized emails.

Regards

theou

Tags (1)

sbsbb
Builder

I've found something interesting there...
https://github.com/georgestarcher/Splunk-Alert/blob/master/targetlist.py
http://www.georgestarcher.com/splunk-alert-scripts-automating-control/

The splunk doc is really missing some examples...

0 Karma

sbsbb
Builder

I'm also missing a good example...
Until now, answers are only telling about the way to run the script, not to get the results in the script !

Do it is necessary to take the savedsearch parameter, and to go aver API getting the results ?? This would be a pity

0 Karma

Raoul_Duke
Explorer

A couple of folks already linked to the wiki page but Splunk sets system variables for several search variables starting with '1'. My colleague and I built something similar a while back with a bash script. One of the variables, I can't recall which one, was not being populated consistently, (we're running Splunk 4.3.1), so in the end I decided just to use the SPLUNK_SEARCH_NAME variable and parse it to gather the slots I need to populate in Service Desk. Then I just name each saved search in the format 'APPLOG~CRITICALITY~ENVIRONMENT~MESSAGE' and then I can parse that out into the fields needed by SD. You could of course use map the other available variables too. Obviously you'd need to understand your ticketing system's API or commandline.

/bin/ksh -x

Set default splunk parameters to variables

SPLUNK_EVENT_COUNT=$1
SPLUNK_SEARCH_TERMS=$2
SPLUNK_QUERY_STRING=$3
SPLUNK_SEARCH_NAME=$4
SPLUNK_ALERT_TRIGGER=$5
SPLUNK_SEARCH_URL=$6
SPLUNK_SEARCH_RESULTS=$8

Raoul_Duke
Explorer

Sorry for the large bold text, I'm not sure what happened there.

0 Karma

lguinn2
Legend

Why don't you use a script for the alert? Just supply a shell script (or batch script) that runs your perl program.

Splunk supplies a number of arguments to the script, including a URL to view the search results and a link to the file containing the raw search results.

More info here:Configure Scripted Alerts

0 Karma

theouhuios
Motivator

But how will I create a perl script to extract specific fields unless I see how the result is being generated on a *nix machine? Do you mean to say that I can specify the fieldnames from the table which is being created when the savedsearch is run in my perl script?

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

A scheduled search can be configured to execute a script as well as send an email. Currently, I think it will only support a bash script, which you can then use to call the perl script. The link below gives you an idea how this happens:

http://wiki.splunk.com/Community:Use_Splunk_alerts_with_scripts_to_create_a_ticket_in_your_ticketing...

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...