Community:Search Alert: How to get search result in Scripted Alert

From Splunk Wiki

Jump to: navigation, search

Scripted Alert to send a search result

Splunk's Scripted alert feature is great. But, as default, you cannot get search result. So, usually people use Email Alert to get search result.

Here are the available arguments and info. in Scripted Alert. 

$0 = Script name
$1 = Number of events returned
$2 = Search terms
$3 = Fully qualified query string
$4 = Name of saved search
$5 = Trigger reason (i.e. "The number of events was greater than 1")
$6 = Browser URL to view the saved search
$7 = This option has been deprecated and is no longer used
$8 = File where the results for this search are stored (contains raw results)

So, how can you get a result of a search result of the scheduled search with scripted alert? How about using "loadjob" search with a script to get a result of a saved search ? 

#
#  Here is an example
#


1. Set up a saved search and a schedule

  Saved Search Name: MyTestScriptedAlertSearch 
  The search       : index=_internal source="*metrics.log*" | head 5 
  Time Range       : -6m@m to -1m@m 
  Schedule         : every 5 min
  Action           : Script
  Script Name      : test_action.sh


2. Write a script in $SPLUNK_HOME/bin/scripts directory
(Make sure the script has a proper permission by chmod and chown)

#!/bin/bash
# File: test_action.sh 
# Description: To output saved search result
#

SPLUNK_HOME="/opt/splunk"
OUTPUT="test_output.log"
USER=admin
PASSWORD=changeme

$SPLUNK_HOME/bin/splunk search '| loadjob savedsearch="admin:search:$4" -auth ${USER}:${PASSWORD} > ${OUTPUT}

3. Check the output file
$ cat $SPLUNK_HOME/bin/scripts/test_output.log
Retrieved from "https://wiki.splunk.com/index.php?title=Community:Search_Alert:_How_to_get_search_result_in_Scripted_Alert&oldid=54250"
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk