Now I am actually on thin ice, because this is very much about reverse-engineering things, but here is what I have. First, I have a simple SPL search for the purpose of generating five random integers ranging from 1-10. If the random number is greater than 2 | makeresults count=5
| eval low = 0, high = 10, rand = random() % (high - low + 1) + low
| streamstats count AS ID
| where (rand > 2)
| table ID Using this as a search expression in an alert and defining the alert to be fired for each result individually and employing throttling for a reasonable period of time I should be able to follow what is going on. When the alert is fired, I simply execute a Perl-script to do what I want. I have used something like this: #!/usr/bin/perl
use strict;
my ($numev, $srch, $FQNSS, $searchname, $reason, $saved_search, $tags, $resultfile) = @ARGV;
# -- Begin throttling bug workaround
my $resultdir = $resultfile;
$resultdir =~ s/[^\/]+$/per_result_alert/;
my $file = qx(ls -rt $resultdir | tail -1);
$file =~ s/\s*$//;
$file = "$resultdir/$file";
$resultfile = $file if (-f $file);
# -- End throttling bug workaround
my $sessionKey = "";
$sessionKey=<STDIN>;
my = qx(/bin/zcat $resultfile);
my $date = qx(/bin/date +"%Y%m%d%H%M%S.%N");
open RESULTFILE, q(>>).q(/tmp/splunk-alert-results.txt);
print RESULTFILE qq(\nTimestamp $date);
print RESULTFILE "Resultfile = $resultfile \n";
foreach (@data)
{
my @fields = split(',');
$fields[0] =~ s/\"//g;
print RESULTFILE join(';',@fields) ;
}
print RESULTFILE qq(Timestamp ) . qx(/bin/date +"%F %H:%M:%S.%N");
close RESULTFILE;
exit(0); This is now supposed to read the latest file in the per_result_alert directory, and with this kind of a test it seemed to work. However, with real events and real data, I faced unexpected problems, and I had to implement the throttling manually to the real alert with real data. In any case, working with these per_result_alert files feels a little shaky, as one really doesn't know what one will find from that directory. In any case, I played around with the above and monitored the output files and picked from there the proper locations for alert-results.
... View more