take SID in an alert

gcusello · ‎01-19-2018

Hi at all,
I need to use SID as filename in an outputcsv command.
I reached to do this in a normal search

my_search
| ...
| addinfo
| outputcsv [ search * | head 1 | addinfo | eval query="my_alert_".info_sid | fields query | format "" "" "" "" "" "" ] singlefile=1

and I have a file called "my_search_1234567890.12345.csv".

The problem is when I schedule this search in an alert because the output csv is "my_search_schedule_admin.csv", in other words: running an alerts, instead SID I have the fixed string "schedule_admin".

Anyone has an idea where to search solution or (best) has a solution to solve the problem?

Thank you in advance.

Bye.
Giuseppe

harsmarvania57 · ‎01-19-2018

Just FYI, if you are using search head pooling or search head clustering then outputcsv is not compatible, see reference doc http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Outputcsv#Distributed_deployments

gcusello · ‎01-19-2018

None of them: it's a single Search Head!
Anyway, my search correctly runs in search mode, there's this strange behavior only running as alert.
Thanks.
Bye.
Giuseppe

gcusello · ‎01-19-2018

One additional information: I found that this problem there's only on a Windows machine, on a Linux machine I have the correct SID.
Bye.
Giuseppe

take SID in an alert

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?