Forums: SplunkAdministration: Custom script arguments outputting incorrect URL

Hi all,
I've written a custom script that pulls data from a Google Calendar when we want a page to go out. I've included the script below. Basically everything in the script works. However the URL in argument position 6 is never found when I click on it in my SMS messages or my email. For instance, I click through to https://splunk.foo.com/en-US/app/search/@go?sid=scheduler_nobody_search_Foo_Site_Check_at_1251757800 I receive the error "Could not find a job with an sid of "scheduler_nobody_search_Foo_Site_Check_at_1251757800". Cannot redirect to a view." Any ideas why the alert isn't generating a valid URL to my custom script? I also fired the echo.sh script just to make sure my python script wasn't cutting off the arguments, and I receive the same Error from the URL that echo saves to disk.

#!/usr/bin/env python
try:
from xml.etree import ElementTree # for Python 2.5 users
except ImportError:
from elementtree import ElementTree
import gdata.calendar.service
import gdata.service
import atom.service
import gdata.calendar
import atom
import getopt
import sys
import string
import time
import datetime
import smtplib

from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
from email import Encoders

#Get the on call person from the calendar

calendarId = 'foo'
privateId = 'bar'

#Set the default address as empty
to = ''
gmailUser = 'smsalerts@system.foo.com'
gmailPassword = 'bar'

calendar_service = gdata.calendar.service.CalendarService()

#Define the today and tomorrow in text as tomorrow is exclusive

currentTime = datetime.datetime.now()
startDate=currentTime.strftime("%Y-%m-%d")

currentTime = currentTime + datetime.timedelta(days=1)
endDate=currentTime.strftime("%Y-%m-%d")

print 'Date range query for events on Primary Calendar: %s to %s' % (startDate, endDate)

query = gdata.calendar.service.CalendarEventQuery(calendarId, privateId, 'full')
query.start_min = startDate
query.start_max = endDate
feed = calendar_service.CalendarQuery(query)

#Loop through each phone number and create an email
for i, an_event in enumerate(feed.entry):
to += '%s@pcsms.co.nz; ' % an_event.title.text;

subject = "Splunk has raised an alert"

text = '%(failureCount)s failures from query %(failedQueryName)s. %(dataUrl)s' % {'failureCount': sys.argv[1], 'failedQueryName': sys.argv[4], 'dataUrl': sys.argv[6] }

1. The actual mail send

msg = MIMEMultipart()

msg['From'] = gmailUser
msg['To'] = to
msg['Subject'] = subject

msg.attach(MIMEText(text))

mailServer = smtplib.SMTP("smtp.gmail.com", 587)
mailServer.ehlo()
mailServer.starttls()
mailServer.ehlo()
mailServer.login(gmailUser, gmailPassword)
mailServer.sendmail(gmailUser, to, msg.as_string())

1. Should be mailServer.quit(), but that crashes...

mailServer.close()

Possibly the search result that you the link refers to is expiring before you get to click it. The default period for a search result to live is 2x the search run interval period (I heard it was 10x if you set the search to alert), but that may not be long enough for you to respond to it.

To increase the time for that search, add the parameter
dispatch.ttl = 100p
or
dispatch.ttl = 3600
into the stanza under the appropriate search definition in your savedsearches.conf file, to set it to 100 periods or 3600 seconds respectively.

We save a lot of searches we build with the search GUI. Is it possible to add this to the parameters when we save the search?

Eh, no, but you can make it a global default for every saved search that runs (scheduled or interactive) by puting the setting outside of specific stanza.

Thanks, that got it. I put

dispatch.ttl = 100p

at the top of the /opt/splunk/etc/apps/search/local/savedsearches.conf file and that seems to have resolved the problem