Alerting

ERROR Missing arguments to operator runshellscript expected at least 10 got 2

multiverse
Engager

Hello,

I'm new at this triggering of alert scripts and have hit my first obstacle.

When this search is manually fired in the Splunk GUI:

index=* sourcetype=df | multikv | eval perc_used=trim(UsePct, "%") | search perc_used >= 80 | runshellscript snow_alert.sh

Gives the following error message:

External search command 'runshellscript' returned error code 1. Script output = "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, got 2." "

The script looks like this:

#! /bin/sh
#
#  ARGUMENTS
#  $0 Script name
#  $1 Number of events returned
#  $2 Search terms
#  $3 Fully qualified query string
#  $4 Name of saved search
#  $5 Trigger reason (for example, "The number of events was greater than 1")
#  $6 Browser URL to view the saved search
#  $8 File in which the results for this search are stored (contains raw results)
/opt/splunk/bin/splunk search "|snow instance=dev action=insert request=incident short_description=\"Alert filed by Splunk.\" work_notes=\"R
esults URL = $6\""

That script is in the correct location on the filesystem and I am able to run it at the CLI.

Example from the CLI:

opt/splunk/bin/splunk search "|snow instance=dev action=insert request=incident short_description=\"Alert filed by Splunk.\" work_notes=\"Results URL = $6\"" >> splunk-testing.log 2>&1

The following error is logged:

"External search command 'runshellscript' returned error code 1. Script output = "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, got 2.""

It is mentioned here:
http://wiki.splunk.com/Community:TroubleshootingAlertScripts

When I execute:

echo "date ARG0='$0' ARG1='$1' ARG2='$2' ARG3='$3' ARG4='$4' ARG5='$5' ARG6='$6' ARG7='$7' ARG8='$8'"

I get:

Tue Jan 22 12:43:32 PST 2013 ARG0='-bash' ARG1='' ARG2='' ARG3='' ARG4='' ARG5='' ARG6='' ARG7='' ARG8=''

What am I doing wrong?

jonuwz
Influencer

awesome discovery.

0 Karma

jonuwz
Influencer

That command is whats used when an alert script fires.

When an alert fires and there's a script to run those variables are passed to the script, along with a session key which is read from STDIN.

For instance $4 is the saved search name - this can't be set because this isn't a saved search.

If you save your search, and create an alert trigger to call your script - it will work.

Edit 1

Or ... create the variables yourself.

Here the 1st argument is the number of results

* | head 1 | runshellscript echo.sh * | head 1 | runshellscript echo.sh [ search * | stats count | return count ] 2 3 4 5 6 7

and it puts this in bin/scripts/echo_output.txt :

'/opt/splunk/bin/scripts/echo.sh' 'count=64972' '2' '3' '4' '5' '6' '7' '/opt/splunk/var/run/splunk/dispatch/8/results.csv.gz' 'sessionKey=cedffc9ebc8cf266eb59a95156922ecd'

Worth noting ..

The script doesn't run against each row.

Edit 2

This is actually very, very cool

providing you're careful with your search you can pass search results directly into the script.

 * | stats values(sourcetype) as types 
 | eval stuff=mvjoin(types,",")
 | map search="| runshellscript echo.sh \"$stuff$\" 2 3 4 5 6 7 8"

Now echo.sh gets a comma delimited list of sourcetypes as the 1st argument.

testadrianbelen
New Member

does runscript command only works in alerts? so I should create a search query, which has runscript command, in http://splunk.xyz/en-US/app/search/search and then save it as alert?.

I have directly tried this command in search GUI to saved the result but it does not return the results.csv.gz.

  • | head 1 | runshellscript test.py [ search * | stats count | return count ] 2 3 4 5 6 7 /var/www
0 Karma

testadrianbelen
New Member

I also saved the search as alert but it also does not work 😞

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...