Alerting

Can Someone Please explain in detail how to "Run a Script" based on an Alert Trigger

Explorer

Hi all,

I'm using Splunk 6.5.1 on a Windows Platform and simply trying to get the "Run as a Script" trigger working under Alerts. I see that a version of this is now deprecated however “run as a script” is still available via Alert Triggers.

What I'm trying to do now is just for proof of concept, so i'm using veryy minimal easy script and paths so I can get the understanding down.

It states under trigger actions (when setting up an alert) for us to put our scripts in “C:\Splunk\bin\scripts”, when I look in the scripts directory I see nothing but *.PATH files (they all reference exe's it seems). so I created one myself called PING.Path. Within the path file, I placed the path of where the windows batch file is located: F:\SimplePing.BAT

Inside the windows Batch file is just a simple ping command that pipes the results to a text file (so that I’ll know the script really fired off).
Ping hostname > F:\PingStuff\PingResults.txt

^ This works fine no problem when I launching the bat file manually, but never fires when the Alert is triggered within Splunk, I’ve also tried copying the .bat file directly to the scripts directory and referenced it in the alert that didn’t work either.

What am I doing wrong? I’m only using the windows batch file for proof of concept so I can grasp understanding of how. In the end we like to use Secure Copy to move files from windows to Linux with PSCP Script with something like this in the syntax: pscp local-file-name username@remote-host:/directory/name

0 Karma
1 Solution

Legend

"It states under trigger actions (when setting up an alert) for us to put our scripts in “C:\Splunk\bin\scripts”, when I look in the scripts directory I see nothing but *.PATH files"
Okay, just because you see PATH files there does not mean that you have to create a PATH file. Put your batch file in “C:\Splunk\bin\scripts” directory. I know that you said you did that, but there is something else wrong.

Remember that the script will be executed by the user account that is running the Splunk service. Does that user account have sufficient privileges to run the script? Does the script file have any weird permissions settings?

Look at the splunkd.log or audit.log files and see if there are any messages or warnings. It is possible that you need to specify the script as C:\Splunk\bin\scripts\SimplePing.bat in the alert settings. (On later versions of Splunk, you might also examine the alert_manager*.log files for problems.)

I won't be as harsh as @woodcock, but you should be doing your proof-of-concept on the same OS that you will ultimately use. Splunk itself operates in the same way on all platforms but there are differences between operating systems in terms of file permissions and script executions. This can mean that you are struggling with things in your POC that will be unimportant in your actual implementation - or worse that your POC will not uncover all of these problems.

View solution in original post

Explorer

After checking permissions on file and user account running the script I saw It looked good. I simply added the file back to the script dir and tried once again, it works. So I was must have fat fingered something. Thanks @iguinn

0 Karma

Explorer

I'm fully aware that Linux is the "preferred" platform to use with Splunk, they only start preaching it in Splunk 101! So thank you for pointing that out Captain Obvious!! :)......However it was absolutely NO help to my problem.

I'm a System Architect and have worked on many complex systems (Linux and windows) and I can tell you from experience The customer's STACK isn't always going to be Linux weather you like it or not You have to be versatile in IT!

As a I disclaimer I'd like to clear up the false narrative that splunk can't be ran on Windows sigh. I've been using Splunk on a Windows Platform for over 3 Years in a distributive setup and Haven't had "M*A*N*Y avoidable regrets"... in fact I haven't had any major problems at all the entire time I've used it. Different stokes for different folks! But largely in part the luxury of choice is on the customer and their current STACK, NOT your cold war Linux vs Windows attitude... I'm sure Splunk doesn't feel the way you do about their product.

@Iguinn Thanks for your response, I'll try looking into what you've said.
I cannot explain in full detail what I'm doing because of the nature of my work however I think there's confusion because you don't have the full details. I can't go into them but it involves multiple subnets, enclaves and OS Platforms... Just know the proof of concept isn't being done this way because we want to. It's the only options available... Thank you

0 Karma

Esteemed Legend
0 Karma

Legend

"It states under trigger actions (when setting up an alert) for us to put our scripts in “C:\Splunk\bin\scripts”, when I look in the scripts directory I see nothing but *.PATH files"
Okay, just because you see PATH files there does not mean that you have to create a PATH file. Put your batch file in “C:\Splunk\bin\scripts” directory. I know that you said you did that, but there is something else wrong.

Remember that the script will be executed by the user account that is running the Splunk service. Does that user account have sufficient privileges to run the script? Does the script file have any weird permissions settings?

Look at the splunkd.log or audit.log files and see if there are any messages or warnings. It is possible that you need to specify the script as C:\Splunk\bin\scripts\SimplePing.bat in the alert settings. (On later versions of Splunk, you might also examine the alert_manager*.log files for problems.)

I won't be as harsh as @woodcock, but you should be doing your proof-of-concept on the same OS that you will ultimately use. Splunk itself operates in the same way on all platforms but there are differences between operating systems in terms of file permissions and script executions. This can mean that you are struggling with things in your POC that will be unimportant in your actual implementation - or worse that your POC will not uncover all of these problems.

View solution in original post

Esteemed Legend

I know this is going to sound harsh, but the main thing that you are doing wrong is that you are using Windows OS for your Splunk architecture. You should use Linux for your Search Head, Indexers, etc. You are headed down a path with M*A*N*Y (avoidable) regrets.