Community:Search Alert: How to get search result in Scripted Alert
From Splunk Wiki
Scripted Alert to send a search result
Splunk's Scripted alert feature is great. But, as default, you cannot get search result. So, usually people use Email Alert to get search result.
Here are the available arguments and info. in Scripted Alert.
$0 = Script name $1 = Number of events returned $2 = Search terms $3 = Fully qualified query string $4 = Name of saved search $5 = Trigger reason (i.e. "The number of events was greater than 1") $6 = Browser URL to view the saved search $7 = This option has been deprecated and is no longer used $8 = File where the results for this search are stored (contains raw results)
So, how can you get a result of a search result of the scheduled search with scripted alert? How about using "loadjob" search with a script to get a result of a saved search ?
#
# Here is an example
#
1. Set up a saved search and a schedule
Saved Search Name: MyTestScriptedAlertSearch
The search : index=_internal source="*metrics.log*" | head 5
Time Range : -6m@m to -1m@m
Schedule : every 5 min
Action : Script
Script Name : test_action.sh
2. Write a script in $SPLUNK_HOME/bin/scripts directory
(Make sure the script has a proper permission by chmod and chown)
#!/bin/bash
# File: test_action.sh
# Description: To output saved search result
#
SPLUNK_HOME="/opt/splunk"
OUTPUT="test_output.log"
USER=admin
PASSWORD=changeme
$SPLUNK_HOME/bin/splunk search '| loadjob savedsearch="admin:search:$4" -auth ${USER}:${PASSWORD} > ${OUTPUT}
3. Check the output file
$ cat $SPLUNK_HOME/bin/scripts/test_output.log
