Custom alert action to execute script

pbarbuto · ‎06-15-2021

I need help creating an alert action to run a simple bash script.

I created a custom app with a local/alert_actions.conf file. I have the script in the /opt/splunk/bin/scripts/ directory, but its not being called. I've tried the full path as well as the filename and I'm seeing the following errors both ways. I can run the script manually from the cli and it works fine. I'm wondering what I'm missing?

[test_custom_alert_action]
is_custom = 1
label = testing the custom alert action
description = Send splunk event data to a script
#alert.execute.cmd = /opt/splunk/bin/scripts/test-script-action.sh
alert.execute.cmd = test-script-action.sh

Errors

06-15-2021 16:33:11.603 -0500 ERROR sendmodalert - action=test_custom_alert_action - Failed to find alert.execute.cmd "test-script-action.sh".

and

06-15-2021 16:30:12.352 -0500 ERROR sendmodalert - action=test_custom_alert_action - Failed to find alert.execute.cmd "/opt/splunk/bin/scripts/test-script-action.sh".

I'll also need to add arguments to send results to the script. I know I'll need to use alert.execute.cmd.arg.0 but I figured I'd just get the script working first.

Custom alert action to execute script

alert action

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?

Custom alert action to execute script

alert action

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency