Firstly I am very new to Splunk app development. I'm trying to create a custom alert application and I'm having problems with getting some of the info on the detected condition from the json payload available to the script.
If I was using a regular script action, I would have access to the following arguments passed to the script:
0 = Script name
1 = Number of events returned
2 = Search terms
3 = Fully qualified query string
4 = Name of report
5 = Trigger reason (i.e. "The number of events was greater than 1")
6 = Browser URL to view the report
7 = This option has been deprecated and is no longer used
8 = File where the results for this search are stored (contains raw results)
When using a custom alert app, these don't seem to apply and you get the data via reading stdin. I am using the json format and some of the above are in fact included in the json payload, however, I don't see any key that relates to trigger reason or number of events returned.
How do I get access to those two specific pieces of information from the script being invoked from the custom alert app?
Thanks.
↧