Have a look here: http://splunk-base.splunk.com/answers/88934/pass-variable-to-a-scripted-alert ... View more

So, if you want to use one or a few specific fields, add a table command with the needed parameters, at the end of your search: my_search_cmd | table src, host, rhost The result file will contain: host,rhost,src,"mv_host","mv_rhost","__mv_src" myhostname1,"1.2.3.4",myhostname2,,, Then use the following script in the alert: http://mdessus.free.fr/Divers/splunk_alert.pl And take care of any " that my be passed by the alert to the script unescaped. ... View more

Hello, you have to take the argument number 8 which contains the path to the file containing all events that matched the alert criteria. You then have to parse the CSV data in this file to find what you're interested in. See the latest answer here: http://splunk-base.splunk.com/answers/749/how-do-i-pass-event-arguments-to-scripts-run-in-response-to-splunk-alerts Update: See my 2nd anwser below with a script example. ... View more

Have you tried to enter manual addresses in /etc/hosts (or widows equivalent if the deployment server runs windows) in order to force Splunk to see non-balanced addresses ? ... View more

If you lookup table are big, the first thing to try is to gzip it. It should improve performance. However, if you really need more performance, the main option is to use an external command to do the lookup, as a python script or an indexed tables in a database (for example using mysql connector). ... View more

Hello, have a look here, but it will requires some web development knowledge, but it works: http://docs.splunk.com/Documentation/Splunk/latest/Developer/UseCSS ... View more

I've quickly done a script that will reload automatically the specified app when the XML files are modified: http://mdessus.free.fr/Divers/reloadSplunkApp.pl Feedback is welcome. ... View more