topic Re: what is the easiest way to make alert (sound, python script, ...) in Splunk search in Splunk Dev

What is the easiest way to make alert (sound, python script, ...) in Splunk search?

erez10121012 — Tue, 05 Apr 2022 16:02:31 GMT

hi,

want to make an alert in Splunk, for example:

if _raw>10

make alert.

what is the easiest way to make alert?

can I do it within the search comment?

play wav file?

play through the browser?

python script?

Re: what is the easiest way to make alert (sound, python script, ...) in Splunk search

PickleRick — Tue, 05 Apr 2022 10:43:59 GMT

Wait a second.

You have to think how splunk works.

You can have an all-in-one installation on your desktop but in general, the splunk infrastructure is composed of several layers. There are indexers, there are search heads, and there is your browser which connects to a search head which typically is on a different host.

An alert in splunk sense is a search which triggers some action _on the search head_ if some conditions are fulfilled. So in general case - the alert action is performed on the search head which typically is in some server room, possibly on a virtual machine. Even if you created a custom "play wav file" script to handle such alert where would it play? In your rack cabinet? Kinda pointless, isn't it? 😉

You could try to add some client-side logic in a dashboard which would do something based on a value of specific form or something like that but that's purely client-side programming in JS and - frankly - it doesn't have much to do with Splunk itself, it's just inserting an external JS code into a Splunk dashboard. Probably can be done but I don't find the idea worth pursuing.

Re: what is the easiest way to make alert (sound, python script, ...) in Splunk search

erez10121012 — Tue, 05 Apr 2022 11:54:44 GMT

thanks for the detailed explanation.

"In your rack cabinet? Kinda pointless, isn't it?"

my "rack cabinet" is located close to my client computer, and the alert will reach to my client

Re: what is the easiest way to make alert (sound, python script, ...) in Splunk search

PickleRick — Tue, 05 Apr 2022 12:04:21 GMT

Well, in that case you might think of a custom alert action which will be performed on the search head (or all-in-one as I assume you have) but that's something you have to devise on your own because it's a very atypical case.

https://docs.splunk.com/Documentation/Splunk/8.2.5/AdvancedDev/ModAlertsIntro

Re: what is the easiest way to make alert (sound, python script, ...) in Splunk search

erez10121012 — Tue, 05 Apr 2022 13:02:29 GMT

A bit difficult to execute, there is no simple way to execute any command through the search, maybe ping?

Re: what is the easiest way to make alert (sound, python script, ...) in Splunk search

PickleRick — Tue, 05 Apr 2022 13:09:53 GMT

There is a script command https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Script

But it's also not as easy as just writing

| tstats count | ping

Running arbitrary commands from splunk search is not something that should be treated lightly.