topic Re: Custom Alert action shell script in Alerting

How to create Custom Alert action shell script?

harsmarvania57 — Thu, 03 Aug 2023 20:14:57 GMT

Hi,

Currently I am creating a Custom Alert action script as per documentation http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomAlertScript but I would like to create Shell script instead of Python script.

In shell script to fetch payload I am using read sessionKey in shell script, is this correct way ?? Or Do I need to use some other code to fetch payload value in shell script?

Thanks,
Harshil

Re: Custom Alert action shell script

jkat54 — Wed, 01 Mar 2017 10:45:09 GMT

You'll need to read in the arguments via stdin.

Please see this link for just about everything you need and let us know if you get stuck:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Configuringscriptedalerts

The downside to using a bash script as an alert action is that you only get those 7 arguments. To read the results you have to read & manipulate the data file who's path is provided by the 8th argument.

Cheers!

Re: Custom Alert action shell script

harsmarvania57 — Tue, 29 Sep 2020 13:04:48 GMT

Currently in script I am using SPLUNK_ARG_1 ... 8 and that script I am using in "run a script alert action" & it is working fine but the feature is deprecated now.

So I have new script based on "Custom Alert Action" but I can use only read sessionKey as STDIN in Shell Script

I am getting Payload via this script

#!/bin/bash
if [[ "$1" == "--execute" ]]; then
    read sessionKey
    echo $sessionKey > /tmp/payload_output.txt
fi

But If I use other variables in script those are not working/no output.

#!/bin/bash
if [[ "$1" == "--execute" ]]; then
    read SPLUNK_ARG_0
    echo $SPLUNK_ARG_0 > /tmp/payload_output.txt
    echo $SPLUNK_ARG_1 >>  /tmp/payload_output.txt
fi

So my question is read sessionKey which I am using in first script and I am getting payload value, so is this correct method to fetch payload value in Custom Alert Action script ?

Thanks,
Harshil

Re: Custom Alert action shell script

jkat54 — Wed, 01 Mar 2017 11:26:29 GMT

Are you looking for the search results?

If so there will be a file on a path specified by argument 8. You must use your script to read this file and use it as the payload.

Re: Custom Alert action shell script

harsmarvania57 — Tue, 29 Sep 2020 13:04:51 GMT

While using argument in script based on this http://docs.splunk.com/Documentation/Splunk/6.4.5/AdvancedDev/CustomAlertScript , those arguments (SPLUNK_ARG_0 ... 😎 are not working.

Re: Custom Alert action shell script

jkat54 — Wed, 01 Mar 2017 12:10:42 GMT

Ok I understand your question now. Yes you are doing it correctly except I wouldn't call the payload sessionKey I would call it payload:

 read payload

Re: Custom Alert action shell script

harsmarvania57 — Wed, 01 Mar 2017 12:25:18 GMT

Perfect. working fine, Thanks. I am not able to convert your last comment as Answer, so accepting first answer as Answer.

Thanks,
Harshil

Re: Custom Alert action shell script

jkat54 — Wed, 01 Mar 2017 12:30:40 GMT

Hey you did see in alert_actions.conf where you can change the payload format to xml or JSON I hope!

Re: Custom Alert action shell script

harsmarvania57 — Wed, 01 Mar 2017 12:32:53 GMT

Yes, I already converted into JSON format in alert_actions.conf

Re: Custom Alert action shell script

splunkettes — Thu, 03 Aug 2023 19:58:15 GMT

I realize this is a dated post but is closely aligned with the issue I am having with my shell script custom alert action.. Please elaborate on how you read in the stdin arguments to the shell script. I copied the sample script in the docs. The alert triggers the script and will print the $0 but the rest of the variables are null. Do I need to list the SPLUNK_ARG_x variables out in the alert_actions.conf?