Alerting

How to pass our command line arguments to script called from Splunk for alert triggered

jayannah
Builder

Hi

I configured an Alert for some search and configured perl script to be called when Alert is triggered. I understand by default Splunk sends some values as command line arguments to script (Ref: http://docs.splunk.com/Documentation/Splunk/5.0/Alert/Configuringscriptedalerts ).

My questions are here:
1. Can I pass my own values (not fixed values) to script as command line argument? The values may be derived from search and hence may change everytime.
2. Is there any limits for passing command line arguments to script from Splunk?

If someone answers with examples helps lot to many splunk users.

Regards
Jay

Tags (3)
0 Karma

Mathieu_Dessus
Splunk Employee
Splunk Employee
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

First of all, if these are not 'fixed' how are they going to be set? Scripted alerts are launched by an instance of a Splunk saved search. Where would the instance of the search get these varying parameters?

Generally, you can have parameters that are fixed (simply by wrapping them in simple script, for example) or that vary by the saved search definition (by either using alert_actions.conf or by performing logic in the wrapper script), or you can have instance-specific actions by having your script use the documented parameters or the results file.

jayannah
Builder

Thanks for the response gkanapathy.

If I configure the alert to call the script, Splunk tool passes complete results as argument. But, I want to pass only few values extracted from result to script.

Here my scenario
1. I will issue the following search in Splunk. The result will have host and source parameters & its values. I want to call python script with parameters host & source values.

Spunk Search:
source="D:\Splunk\sample-log.txt" shutdown | script python myPythonScript <> <>

Can you please explain how to call the values from result to the python script?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...