Community:Use Splunk alerts with scripts to create a ticket in your ticketing system

From Splunk Wiki

Jump to: navigation, search

Generate a ticket in your ticketing system from a Splunk alert

You can take any Splunk saved search and tell it to use a script to create a ticket in a system (such as Remedy) based on the search results.

To do this, set up your saved search, put it on a schedule, and set the action to trigger a shell script you've written whenever the number of events you're interested in is> 0.

Put your script (not the Remedy script) in /opt/splunk/bin/scripts.

This script should call the Java program that Remedy uses to generate tickets and pass it data from the Splunk alert. Splunk alerts support the following variables:

  • $1 = number of events returned
  • $2 = search terms
  • $3 = fully qualified search string
  • $4 = name of the saved search
  • $5 = the reason the action/script was triggered (for example, the number of events returned was >1)
  • $6 = a link to the saved search in Splunk +
  • $7 = a list of the tags belonging to this saved search (this option was removed starting in Splunk 3.6)
  • $8 = path to a file where raw results of this search are located (as opposed to passing the actual results into the ticket--this could be a lot of data).

The following example script passes the reason the script was triggered, a link to the saved search, and the path to the search results file into the ticket that the generateRemedyTicket Remedy script creates when it's run.

#! /bin/sh 
/usr/bin/java /var/run/generateRemedyTicket $5 $6 $8  
Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk