https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384870#M69182 <P>I don't see my custom alert action's logs as the documentation suggests I should.</P> <PRE><CODE>import sys # splat # Run with arbitrary input, e.g., index=_internal | head 1 | sendalert splat if __name__ == '__main__': print &gt;&gt;sys.stderr, "WARN splat look for me in the logs!" sys.exit(2) </CODE></PRE> <P>According to <A href="https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog">https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog</A> :</P> <BLOCKQUOTE> <P>Access alert action script logs<BR /> [....] Any information that your script prints to STDERR will be treated as a log message. Message<BR /> prefixes, such as DEBUG, INFO, WARN, or ERROR, are treated as the log level. To review logs for an alert<BR /> action, select <STRONG>Settings&gt;Alert actions</STRONG>.<BR /> This takes you to the Alert Actions manager page. Select <STRONG>View log events</STRONG> for your alert action.</P> </BLOCKQUOTE> <P>When I run the above custom alert, I see nothing in the internal index. I <EM>do</EM> see its logs in <CODE>search.log</CODE> if it exits non-zero, of course, but I'd like to be able to see them from the <EM>View log events</EM> link.</P> <P>How can I see that WARN log line in <EM>View log events</EM> (viz., <CODE>index=_internal sourcetype=splunkd component=sendmodalert action="splat"</CODE>) as the documentation suggests I ought to?</P> Fri, 29 Mar 2019 14:59:48 GMT diletoan 2019-03-29T14:59:48Z https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384870#M69182 <P>I don't see my custom alert action's logs as the documentation suggests I should.</P> <PRE><CODE>import sys # splat # Run with arbitrary input, e.g., index=_internal | head 1 | sendalert splat if __name__ == '__main__': print &gt;&gt;sys.stderr, "WARN splat look for me in the logs!" sys.exit(2) </CODE></PRE> <P>According to <A href="https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog">https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog</A> :</P> <BLOCKQUOTE> <P>Access alert action script logs<BR /> [....] Any information that your script prints to STDERR will be treated as a log message. Message<BR /> prefixes, such as DEBUG, INFO, WARN, or ERROR, are treated as the log level. To review logs for an alert<BR /> action, select <STRONG>Settings&gt;Alert actions</STRONG>.<BR /> This takes you to the Alert Actions manager page. Select <STRONG>View log events</STRONG> for your alert action.</P> </BLOCKQUOTE> <P>When I run the above custom alert, I see nothing in the internal index. I <EM>do</EM> see its logs in <CODE>search.log</CODE> if it exits non-zero, of course, but I'd like to be able to see them from the <EM>View log events</EM> link.</P> <P>How can I see that WARN log line in <EM>View log events</EM> (viz., <CODE>index=_internal sourcetype=splunkd component=sendmodalert action="splat"</CODE>) as the documentation suggests I ought to?</P> Fri, 29 Mar 2019 14:59:48 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384870#M69182 diletoan 2019-03-29T14:59:48Z https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384871#M69183 <P>Hi,</P> <P>Instead of <CODE>if name == 'main':</CODE>, can you please run simple script without that if condition ? Have a look at sample example script on doc <A href="https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsBasicExample">https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsBasicExample</A></P> Mon, 01 Apr 2019 08:21:03 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384871#M69183 harsmarvania57 2019-04-01T08:21:03Z https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384872#M69184 <P>@harsmarvania57 , thanks. <CODE>'main'</CODE> was a formatting error of course. I could not persuade the indented code block to be formatted correctly, so I moved it. See again. I can try your simpler example, but it's not germane: I know that the script runs, and that <CODE>if</CODE> stanza is good python and in most other splunk docs (e.g., the HipChat handler in those docs). I just don't know where the output goes.</P> Mon, 01 Apr 2019 11:59:34 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384872#M69184 diletoan 2019-04-01T11:59:34Z https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384873#M69185 <P>The explanation appears to be that the stderr logs <EM>are</EM> properly captured to the internal index when a <EM>bona fide</EM> alert is configured (<STRONG>Searches, Reports, and Alerts</STRONG>).</P> <P>However, they <EM>are not</EM> captured when the same custom alert is run by hand using <CODE>sendalert my_custom_alert</CODE>.</P> <P>That's unexpected behavior, I'd say, but so it is.</P> Mon, 01 Apr 2019 15:44:09 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-alerts-logs-don-t-appear-in-internal-index/m-p/384873#M69185 diletoan 2019-04-01T15:44:09Z