Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Can not run a simple action script
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can not run a simple action script
Hello Team,
Troubleshooting for few hours the most basic script executed as the action.
Trying manually (search returning ~90 results):
sourcetype="cisco:ios" | runshellscript create_inc.sh arg1 arg2 arg3 arg4 arg5 arg6 arg7 "/tmp/test"
got the response: create_inc.sh exited with status code: 1
The script create_inc.sh content:
cp $8 >/tmp/ttt
(script is executable)
I have /tmp/test readable by all.
As a result i see /tmp/ttt created (it was not existing) but it's empty. Why ?
I want to write mode advanced script like this one:
https://answers.splunk.com/answers/149836/how-to-run-an-alert-script-on-field-values-generated-in-sp...
But can not get the simplest script tested. I have followed troubleshooting guide:
http://wiki.splunk.com/Community:TroubleshootingAlertScripts
But it's not really helpful.
Could you please help me with this most basic script ?
Thanks,
Michal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi teknet9,
It is described in Splunk docs that runshellscript is not a supported search command:
https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Runshellscript
This is most likely why your method does not work. arg8 is supposed to be the path to the search results passed by Splunk, and you are manually providing a path where the results should not be.
To test your script I would suggest setting up an alert with a script action (your script).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, a small update, i had a typoo in my script,
now i have:
sourcetype="cisco:ios" | runshellscript create_inc.sh arg1 arg2 arg3 arg4 arg5 arg6 arg7 "/tmp/test.gz"
Exiting with code 2.
While if i execute from shell:
./create_inc.sh arg1 arg2 arg3 a4 a5 a6 a7 /tmp/test.gz
Everything is working fine (my code is executed, file decopressed and so on).
I have my script in /opt/splunk/bin/script
code 2 suggest splunk can not find the script ? Why ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
