We are using a Perl script to create tickets when a given event meets a certain threshold. How can we include the results of the search in the ticket? This seems like it should be pretty easy, but darned if I can figure out how to get at that data. Otherwise, all we have is a ticket with a link to the search we have to click on to get at the information we seek.
Thanks.
I've found something interesting there...
https://github.com/georgestarcher/Splunk-Alert/blob/master/targetlist.py
http://www.georgestarcher.com/splunk-alert-scripts-automating-control/
The splunk doc is really missing some examples...
Have you had any luck with this? I am looking at the same thing.
Do there is no other way to get the raw data, and read them manually in the script 😞
In which form are they stored ?
From the link in my answer post:
$8 = path to a file where raw results of this search are located (as opposed to passing the actual results into the ticket--this could be a lot of data).
I use an email alert for grabbing the full search result to send to our ticketing system. Some of my alrets send the results as a pdf. This was simple and cleaner to interface with CA's service desk application.
I think you would have to cat $8 , but I bet its format is a not very pretty since it contains raw results
$8= File where the results for this search are stored (contains raw results)
Which of the available variables will give me the results of the search? Not the fact the alert fired but the OUTPUT of the search.
Then it might be the way you are handling the variables. That example was Bash, so $1, $2 etc are defined as positional parameters passed to the script. This would be represented differently in Perl. My Perl skills are not that great , but if I'm not mistaken they would be something like $ARGV[1],$ARGV[2], etc.
been there, done that. It doesn't include the results.