How the alert is defined
I have created a custom alert action after following documentation found here http://docs.splunk.com/Documentation/Splunk/6.6.0/AdvancedDev/ModAlertsIntro, my alert is defined like this
[nimsoft]
is_custom = 1
label = Nimsoft Custom Alert Action
icon_path = action.png
payload_format = json
disabled = 0
alert.execute.cmd = powershell.path
alert.execute.cmd.arg.0 = -NoProfile
alert.execute.cmd.arg.1 = -f
alert.execute.cmd.arg.2 = $SPLUNK_HOME\etc\apps\klp_nimsoft_custom_alerts\bin\testArguments.ps1
alert.execute.cmd.arg.3 = --execute
param.result_count = $job.resultCount$
param.search_query = $job.search$
Problem description
The above alert is working almost just fine. Using Powershell I am able to get hold of both the payload and the command line arguments, script output is like this
[10/19/2017 8:23 AM]: Now loop all arguments
[10/19/2017 8:23 AM]: Arg 0: --execute
[10/19/2017 8:23 AM]: Settings are: @{app=klp_nimsoft_custom_alerts; owner=admin; results_file=D:\splunk\var\run\splunk\dispatch\scheduler__admin_...__TestAlarm_at_1508394180_23089\per_result_alert\tmp_24.csv.gz; results_link=http://SplunkSearch:80/app/klp_nimsoft_custom_alerts/search?q=%7Cloadjob%20scheduler__admin_....w__TestAlarm_at_....&earliest=0&latest=now; search_uri=/servicesNS/nobody/klp_nimsoft_custom_alerts/saved/searches/TestAlarm; server_host=SPLUNKSEARCH; server_uri=https://127.0.0.1:8089; session_key=iwb0t_....; sid=scheduler__admin_...__TestAlarm_at_1508394180_23089; search_name=TestAlarm; configuration=; result=}
[10/19/2017 8:23 AM]: All done
But problem is that in order to really do the magic I need to to with the proper script, I need to know the number of events found by the alert, that is
param.result_count = $job.resultCount$
But the value is nowhere to be found, at least it can be found where I expect it to be found, so maybe I need to look into other places. Anyone able to see what's wrong here?
The Powershell script testArguments.ps1
It might be that someone is curious about how the script looks like as well, so here goes<#
.Synopsis
Script used to verify Splunk alerts, write to a log file both command line argumenst and stdin (payload)
.Description
Powershell -File "D:\Splunk\etc\apps\klp_nimsoft_custom_alerts\bin\testArguments.ps1"
#><#
Get current timestamp, used when writing to logfile
#>
function Get-TimeStamp {
$timeStamp = "[" + (Get-Date).ToShortDateString() + " " + ((Get-Date).ToShortTimeString()) + "]"
Return $timeStamp
}
# The logfile
$fileName = "d:\temp\arguments_test_updated.log"
# If exist, remove
If (Test-Path $fileName) {
Remove-Item $fileName
}
# Start printing all argv's
$msg = (Get-TimeStamp) + ": Now loop all arguments"
write-host $msg
Add-Content $fileName $msg
for ( $i = 0; $i -lt $args.count; $i++ ) {
$msg = (Get-TimeStamp) + ": Arg $($i): $($args[$i])"
write-host $msg
Add-Content $fileName $msg
}
# Print stdin
# https://stackoverflow.com/questions/44695956/what-is-powershells-equivalent-to-pythons-sys-stdin-read
$settings = $input | Out-String | ConvertFrom-Json
$msg = (Get-TimeStamp) + ": Settings are: " + $settings
write-host $msg
Add-Content $fileName $msg
$msg = (Get-TimeStamp) + ": All done"
Write-Host $msg
Add-Content $fileName $msg