Is there a way to pass the result of a savedsearch to a script? For example, if the search returns:
suser duser shost dhost
me you mine yours
you me yours mine
I’d like the script to the “shost” column and perform certain function based on the content of shost.
These are the arguments Splunk passes to the script. But I’m not sure they contain the results.
* $0 = script name.
* $1 = number of events returned.
* $2 = search terms.
* $3 = fully qualified query string.
* $4 = name of saved splunk.
* $5 = trigger reason (i.e. "The number of events was greater than 1").
* $6 = Browser URL to view the saved search.
* $7 = This option has been deprecated and is no longer used
* $8 = file where the results for this search are stored (contains raw results).
... View more