In trying to package up our app into its own app folder, we ran into an issue where it seems Splunk won't accept .. / \ in the script path, and will only look in $SPLUNK_HOME/bin/scripts. This seems oddly contrary to everything else in Splunk, which can be neatly packaged in an app.
Is there a way to allow alert scripts to reside in $SPLUNK_HOME/etc/ourapp/bin and still be run?
Doesn't work. Splunk complained if I tried to put a full path in (
ERROR script - Script location cannot contain "..", "/", or "\"), or just place the script in /etc/ourapp/bin/ or etc/ourapp/bin/scripts (
ERROR script - Cannot find script at /opt/splunk/bin/scripts/script.sh) - other ideas?
I've tried it once and wasn't able to get it working outside of
bin/scripts. There's probably no way to this this right now. I've filed an ER back then. You should do this too if you want this to be available sometime in Splunk.
This DOES work, but the documentation is wrong.
Contrary to what is stated here: http://wiki.splunk.com/Community:TroubleshootingAlertScripts and in the README file for each app, you need to put it in etc/apps/
Then, in your alert, don't specify any path, just the name of the script.
Thanks agent613 this worked!
I'm trying to upvote you but I don't have enough points so I'll repeat what you said and add a bit.
The script must be in the /bin/scripts folder of the app.
So for alerts in the search app I put the script I want to run(DoSomethingOnAlert.sh) in
Under a saved search in the alert actions section under
"File name of shell script to run"
you can only put the filename WITHOUT path
(Otherwise you will get the "script location cannot contain" error message in /opt/splunk/var/log/splunk/splunkd.log)
so in here i have only the script name:
hmm. this doesn't work for me in splunk 6.0. even with a default.meta that exports everything.
according to http://wiki.splunk.com/Community:TroubleshootingAlertScripts, the script in the app will only be accessible by saved searches in the app's context.
i wonder if this used to work but was broken in 6.0? December 16 2011 would have been splunk 4.2 IIRC...maybe i'll downgrade and see if it works there...