Alerting

Basics around alert actions

CrookC007
Explorer

Hi,

I have not been working with Splunk for long but I have come across a lot of issues trying to get it to trigger a custom script. I then noted that the 'feature' had been deprecated and in the resulting searching came across people talking about creating custom alert actions.

In my head this seems to suggest that the original way is left in for legacy so defining a new one is your best bet. Am I right here?

I had a quick look in the alert_actions.conf and found the stanza for the original function. If you were to try and create your own how would it be any different? When I say different I mean in order to get it to work.

I personally think I have made assumptions that are incorrect around why you would want to create a customer alert action in the first place. Looking at it at all is driven purely through frustration in not being able to run my shell script.

1 Solution

woodcock
Esteemed Legend

It all still works. It has been deprecated (but not disabled/removed and I am sure that it never will be). I still use it when I am in a hurry and it works fine. The GUI front-end has hidden it but you can still add it from CLI and it still works the same as always. The "right" thing to do is to create a custom modular alert that is multi-processor/platform compatible but that takes much longer.

View solution in original post

0 Karma

woodcock
Esteemed Legend

It all still works. It has been deprecated (but not disabled/removed and I am sure that it never will be). I still use it when I am in a hurry and it works fine. The GUI front-end has hidden it but you can still add it from CLI and it still works the same as always. The "right" thing to do is to create a custom modular alert that is multi-processor/platform compatible but that takes much longer.

0 Karma

CrookC007
Explorer

Interesting thanks. I will have to try a few more things to try and make mine do something then (or stick with cron).

0 Karma

starcher
SplunkTrust
SplunkTrust

Making alerts using the Add-On builder is the best way these days. You have to get used to it. But once you do, things become much easier.

https://splunkbase.splunk.com/app/2962/

CrookC007
Explorer

BTW I tried to award points but it would leave me unable to post any more questions apparently.

woodcock
Esteemed Legend

Check my position on the leaderboard; I don't need the points (but appreciate your generosity)!

0 Karma

woodcock
Esteemed Legend

You can always upvote to spread Karma for free. I upvoted some of your stuff in this Q/A so should have more Karma now!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...