Databases Reference
In-Depth Information
Let's look through each argument in the bullets that follow:
•
$0
- script path:
'/opt/splunk/bin/scripts/echo.sh'
•
$1
- number of events returned:
'4'
•
$2
- search terms:
'index=_internal | head 100 | stats count by sourcetype'
•
$3
- full search string:
'index=_internal | head 100 | stats count by sourcetype'
•
$4
- saved search name:
'testingAction'
•
$5
- the reason for the action:
'Saved Search [testingAction] always(4)'
•
$6
- a link to the search results. The host is controlled in
web.conf
:
'http://vlbmba.local:8000/app/search/@go?sid=scheduler__admin__
search__testingAction_at_1352667600_2efa1666cc496da4'
•
$7
- deprecated:
''
•
$8
- the path to the raw results, which are always gzipped:
'/opt/splunk/var/run/splunk/dispatch/scheduler__admin__search__
testingAction_at_1352667600_2efa1666cc496da4/results.csv.gz'
•
STDIN
- the session key when the search ran:
'sessionKey=7701c0e6449bf5a5f271c0abdbae6f7c'
The typical use for scripted alerts is to send an event to a monitoring system. You
could also imagine archiving these results for some compliance reason or to import
into another system.
Let's make a fun example that copies the results to a file, and then issues a cURL
statement. That script might look like:
#!/bin/sh
DIRPATH='dirname "$8"'
Search WWH ::
Custom Search