I am trying to pull data from Splunk via a search and send it to Netcool OMNIbus. Right now I am just sending it via an Alert Action to my email to figure this out. In doing so, I cannot seem to find a way to lock on to the actual message in the recorded log event itself. I hope this makes sense. It seems like it is difficult to actually pull and send out the actual result of a search. Passing all the information used for the search seems easy. Am I missing something here? I am really new to Splunk.
For example, if you look at the screen below from my search in Splunk, it finds and returns the log event I was looking for but within the Alert Trigger I send out from Splunk via email, I want to actually send the log event which is...
"[2016-10-14T13:14:57]:WARNING:HEMDP0173W:[WebContainer : 3]:No translation for severity 'P3-Low' could be found. Using the data source conversion instead."
Is this possible?
![alt text][1]
I do see that you can pass the following arguments...
**Arg Environment Variable Value
0 SPLUNK_ARG_0 Script name
1 SPLUNK_ARG_1 Number of events returned
2 SPLUNK_ARG_2 Search terms
3 SPLUNK_ARG_3 Fully qualified query string
4 SPLUNK_ARG_4 Name of report
5 SPLUNK_ARG_5 Trigger reason
For example, "The number of events was greater than 1."
6 SPLUNK_ARG_6 Browser URL to view the report.
7 SPLUNK_ARG_7 Not used for historical reasons.
8 SPLUNK_ARG_8 File in which the results for the search are stored.**
But none of these contain the actual value of the search result. The log entry which is what I want to send from Splunk via an Alert. So basically I guess I am looking for a way to actually send returned data of the search result.
[1]: /storage/temp/165206-screen.png
↧