Splunk Search

Get environment variables in alert action script?

jef152
Explorer

How do I get the environment variables, for example $env:user$ into my alert action script? I've tried adding a parameter to my alert_actions.conf (param.envuser=$env:user$) but that just shows up as the literal $env:user$ in my script, not the logged in user. Any ideas?

Any tips or hints appreciated.

Thanks,

Jon

0 Karma
1 Solution

jef152
Explorer

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

View solution in original post

jef152
Explorer

I'll post this as an official answer after having done some more testing. It does seem to work well.

In my alert_actions.conf, I put the following command(used a generic alert action name):

 command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

jef152
Explorer

Well, after some experimentation and staring at the rest command page as well as the sendalert page, I think I have a solution:

In my alert_actions.conf, I put the following command(used a generic alert action name):

command=join [ | rest splunk_server=local /services/authentication/current-context| rename username as auth_user_id | fields auth_user_id ] | <alert action name here> param.user_select=$result.auth_user_id$

It basically joins a rest call of the local context user to the search alert as auth_user_id, then pipes to sendalert, adding the auth_user_id to a param. Seems to work so far....

0 Karma

burwell
SplunkTrust
SplunkTrust

By user do you mean the owner of the alert?

Do you mean $owner$ as documented in http://docs.splunk.com/Documentation/Splunk/7.0.0/Alert/EmailNotificationTokens

0 Karma

jef152
Explorer

No, not the owner of the alert. For example, if a user is looking at an alert in Incident Review in ES and uses the 'Run Adaptive Response' to run my script on an alert, I want the script to capture that logged in user(I believe this is the $env:user$) that ran the script, not necessarily the owner of the alert.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...