https://community.splunk.com/t5/Alerting/How-to-build-an-alert-that-will-trigger-any-server-issue-and-do/m-p/412044#M7223 <P>You can look at creating an alert action script, as documented at <A href="https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsIntro">https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsIntro</A></P> <P>You will need to write a Splunk query that identifies the hosts which are not responsive. At the end of the search, you want a list of servers. Save this search as an alert, then assign an alert action to it.</P> <P>Your alert action script will need to read a CSV file which contains your servers, then decide what you want to do with them. I suggest using something like ssh with pre-shared certificates, then doing <CODE>ssh root@remote-server.com /sbin/reboot</CODE> . Just do that for each host that is listed in the CSV.</P> <P>Splunk also supported very basic alert action scripts, which I summarised at <A href="https://simonduff.net/splunk_alert_script/">https://simonduff.net/splunk_alert_script/</A> . This has been deprecated, but still works.</P> <P>Alternatively, you can also look at Splunk Phantom. That has many more features, running advanced playbooks, etc... which is probably overkill for what you require.</P> Fri, 19 Apr 2019 22:29:58 GMT sduff_splunk 2019-04-19T22:29:58Z https://community.splunk.com/t5/Alerting/How-to-build-an-alert-that-will-trigger-any-server-issue-and-do/m-p/412043#M7222 <P>Hi , I am looking for to automate jobs for splunk , i want to build an alert that will trigger if any server has issue as well as do a automatic restart of the server through the splunk alert without human intervention , How can i do it ?</P> Fri, 19 Apr 2019 21:12:41 GMT https://community.splunk.com/t5/Alerting/How-to-build-an-alert-that-will-trigger-any-server-issue-and-do/m-p/412043#M7222 Prakash493 2019-04-19T21:12:41Z https://community.splunk.com/t5/Alerting/How-to-build-an-alert-that-will-trigger-any-server-issue-and-do/m-p/412044#M7223 <P>You can look at creating an alert action script, as documented at <A href="https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsIntro">https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsIntro</A></P> <P>You will need to write a Splunk query that identifies the hosts which are not responsive. At the end of the search, you want a list of servers. Save this search as an alert, then assign an alert action to it.</P> <P>Your alert action script will need to read a CSV file which contains your servers, then decide what you want to do with them. I suggest using something like ssh with pre-shared certificates, then doing <CODE>ssh root@remote-server.com /sbin/reboot</CODE> . Just do that for each host that is listed in the CSV.</P> <P>Splunk also supported very basic alert action scripts, which I summarised at <A href="https://simonduff.net/splunk_alert_script/">https://simonduff.net/splunk_alert_script/</A> . This has been deprecated, but still works.</P> <P>Alternatively, you can also look at Splunk Phantom. That has many more features, running advanced playbooks, etc... which is probably overkill for what you require.</P> Fri, 19 Apr 2019 22:29:58 GMT https://community.splunk.com/t5/Alerting/How-to-build-an-alert-that-will-trigger-any-server-issue-and-do/m-p/412044#M7223 sduff_splunk 2019-04-19T22:29:58Z https://community.splunk.com/t5/Alerting/How-to-build-an-alert-that-will-trigger-any-server-issue-and-do/m-p/412045#M7224 <P>Splunk recently bought Phantom so if you are looking for an add-on solution, I would start there because it will obviously be heavily supported and probably fully integrated at some point.</P> Wed, 24 Apr 2019 01:39:22 GMT https://community.splunk.com/t5/Alerting/How-to-build-an-alert-that-will-trigger-any-server-issue-and-do/m-p/412045#M7224 woodcock 2019-04-24T01:39:22Z