i'm using terraform to create splunk alerts via automation for the project monitoring as code I found in terraform documentation we can use below resource to do the same
resource "splunk_saved_searches" "saved_search" {
name = "Test New Alert"
search = "index=main"
actions = "email"
action_email_format = "table"
action_email_max_time = "5m"
action_email_max_results = 10
action_email_send_results = false
action_email_subject = "Splunk Alert: $name$"
action_email_to = "splunk@splunk.com"
action_email_track_alert = true
dispatch_earliest_time = "rt-15m"
dispatch_latest_time = "rt-0m"
cron_schedule = "*/5 * * * *"
acl {
owner = "admin"
sharing = "app"
app = "launcher"
}
}
The above is working and able to receive jira tickets for the splunk alerts.I'm trying to bring splunk search results in jira as attachment. But as per documentation arguments reference i'm seeing only below arguments for jira service desk addon
action_jira_service_desk_param_account - (Optional) Jira Service Desk account name
action_jira_service_desk_param_jira_project - (Optional) Jira Project name
action_jira_service_desk_param_jira_issue_type - (Optional) Jira issue type name
action_jira_service_desk_param_jira_summary - (Optional) Jira issue title/summary
action_jira_service_desk_param_jira_priority - (Optional) Jira priority of issue
action_jira_service_desk_param_jira_description - (Optional) Jira issue description
So i tried display splunk tokenize variables in jira description like below
alert query: "$search$"
alert results: "$result$"
BUt i'm getting output only for $search$ but nit for $result$.BUt if i try any individual fields $result.userid$, i'm getting output. So now i want to know
There is no mechanism for getting all results into an alert action. $result$
is not a recognized token. Results tokens must be in the form $result.<field>$
and only return fields from the first result row.