It turns out the entire circumstances of the alert were in fact available in the payload passed to my custom Python script via sys.stdin.read(). The example from which I derived this script only showed getting the custom configuration parameters via payload.get('configuration'). I had no idea there was a so much more structure to that payload because I couldn't find any Splunk documentation on it. I've included a snapshot of the full payload structure below. Respectfully suggest that Splunk folks incorporate some good explanation of this structure into their otherwise very helpful documentation.
Thanks very much for the pointers, jdonn. Cheers!
{"app":"",
"owner":"",
"results_file":"",
"results_link":"",
"server_host":"",
"server_uri":"",
"session_key":"",
"sid":"",
"search_name":"",
"configuration":{"myCustomParam1":"","myCustomParam2":"","myCustomParam3":"","myCustomParam4":"","myCustomParam5":""},
"result":{"_confstr":"",
"_eventtype_color":"",
"_indextime":"",
"_kv":"",
"_raw":"",
"_serial":"",
"_sourcetype":"",
"_time":"",
"date_hour":"",
"date_mday":"",
"date_minute":"",
"date_month":"",
"date_second":"",
"date_wday":"",
"date_year":"",
"date_zone":"",
"eventtype":"",
"host":"",
"index":"",
"linecount":"",
"punct":"",
"source":"",
"sourcetype":"",
"splunk_server":"",
"timeendpos":"",
"timestartpos":""}
}
... View more