topic Re: Alerts and scripts with parameters in Alerting

Alerts and scripts with parameters

phoenixdigital — Fri, 27 May 2011 04:24:42 GMT

Hi All,

I am trying to get alerts to call a script with some parameters. I am aware splunk adds 8 or 9 parameters but I would also like to add my own as well which I will change from alert to alert. All alerts will use a common script and it's behaviour will be slightly different depending on the parameters passed.

The script lives in $SPLUNK_HOME/bin/scripts/ looks like this

#!/opt/splunk/bin/python

webPath = "/tmp/"
fileBasename = "-signal.txt"

propsalData = "proposal=" + sys.argv[2]
outputFilename = webPath + sys.argv[1] + fileBasename
output = open(outputFilename,'wb')
output.write(propsalData)
output.close()

As you can see the first parameter is prepended to the name of the file to create. The second parameter is put inside the text file.

For the life of me I can't seem to add these parameters in both the GUI and from a conf file.

In the GUI I have tried each of these in the script textfield



create-station-signal-file.py paramTest 34

'create-station-signal-file.py paramTest 34'

"create-station-signal-file.py paramTest 34"

All give an error like below in splunkd.log

05-27-2011 14:12:24.105 +1000 ERROR script - command="runshellscript", Cannot find script at /opt/splunk/bin/scripts/create-station-signal-file.py paramTest 34

When editting in the savedsearches.conf file directly I made them look like this



action.script.filename = create-station-signal-file.py paramTest 34

action.script.filename = "create-station-signal-file.py paramTest 34"

action.script.filename = 'create-station-signal-file.py paramTest 34'

same errors as above.

Does anyone know if this is possible to pass some parameters in?

If not thats a real pain as I have to take this one simple script and replicate it 20+ times for each alert. Which is even worse if I decide to modify the script slightly in the future.

Thoughts?

Also I did test a simplified no parameters required script and it worked so incase you are thinking python scripts wont work they do 🙂

Re: Alerts and scripts with parameters

mw — Sun, 29 May 2011 12:54:30 GMT

I would imagine that Splunk is handling the script as a single quoted name, possibly so that you can have a script with spaces in the name. I imagine that your desire is to keep the script logic common to everything, and located in a single script -- that could be handled differently: make a small script for each case which simply passes the proper parameters to the main script, and use that script instead e.g.:

alert1.sh

#!/bin/sh
create-station-signal-file.py paramTest 34

Or you could have the main script contain logic to determine the proper parameters based on the search name or some other value. Or you could do something in between those: make soft links to the script with different names, and then within the script do something like:

if sys.argv[0] is 'alert1.py':
  params = ('paramTest', '34')

Re: Alerts and scripts with parameters

phoenixdigital — Tue, 31 May 2011 08:30:26 GMT

Thanks for the response I was worried you would say that.

I had thought of the softlink option which would work but would not be ideal

It's a shame because the scripted inputs behave in this manner. Would be nice if they were consistent 😉

Re: Alerts and scripts with parameters

jayannah — Fri, 05 Apr 2013 12:29:05 GMT

I think the question here is, how to pass our own values (dynamically derived from event) to Script (phython/perl/shell) as command line arguments?

Re: Alerts and scripts with parameters

phoenixdigital — Wed, 08 May 2013 05:39:27 GMT

I was trying to pass in fixed values. Which also seems to be difficult as well

Re: Alerts and scripts with parameters

SantoshBansode — Mon, 25 Apr 2016 07:03:23 GMT

Is there any way where I can send the parameter from the search result?

Re: Alerts and scripts with parameters

SantoshBansode — Fri, 27 May 2016 05:27:48 GMT

It's limitation of the Splunk, there is no way to send the parameters.

Re: Alerts and scripts with parameters

martin_mueller — Fri, 27 May 2016 09:38:15 GMT

Not really.

Back in the days of this question, the alert script was passed the path of a results .csv.gz, the script could pull anything it wanted from there.

Nowadays, custom alert actions can receive any parameter you like: http://docs.splunk.com/Documentation/Splunk/6.4.1/AdvancedDev/ModAlertsIntro

Re: Alerts and scripts with parameters

rapmancz — Wed, 10 May 2017 00:31:24 GMT

do you have any practical example? Maybe I am getting old but I do not understand the procedure how to achieve to run final script/batch with something line myscript.bat $result.field1 $result.field2