Alerting

ERROR Missing arguments to operator runshellscript expected at least 10 got 2

multiverse
Engager

Hello,

I'm new at this triggering of alert scripts and have hit my first obstacle.

When this search is manually fired in the Splunk GUI:

index=* sourcetype=df | multikv | eval perc_used=trim(UsePct, "%") | search perc_used >= 80 | runshellscript snow_alert.sh

Gives the following error message:

External search command 'runshellscript' returned error code 1. Script output = "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, got 2." "

The script looks like this:

#! /bin/sh
#
#  ARGUMENTS
#  $0 Script name
#  $1 Number of events returned
#  $2 Search terms
#  $3 Fully qualified query string
#  $4 Name of saved search
#  $5 Trigger reason (for example, "The number of events was greater than 1")
#  $6 Browser URL to view the saved search
#  $8 File in which the results for this search are stored (contains raw results)
/opt/splunk/bin/splunk search "|snow instance=dev action=insert request=incident short_description=\"Alert filed by Splunk.\" work_notes=\"R
esults URL = $6\""

That script is in the correct location on the filesystem and I am able to run it at the CLI.

Example from the CLI:

opt/splunk/bin/splunk search "|snow instance=dev action=insert request=incident short_description=\"Alert filed by Splunk.\" work_notes=\"Results URL = $6\"" >> splunk-testing.log 2>&1

The following error is logged:

"External search command 'runshellscript' returned error code 1. Script output = "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, got 2.""

It is mentioned here:
http://wiki.splunk.com/Community:TroubleshootingAlertScripts

When I execute:

echo "date ARG0='$0' ARG1='$1' ARG2='$2' ARG3='$3' ARG4='$4' ARG5='$5' ARG6='$6' ARG7='$7' ARG8='$8'"

I get:

Tue Jan 22 12:43:32 PST 2013 ARG0='-bash' ARG1='' ARG2='' ARG3='' ARG4='' ARG5='' ARG6='' ARG7='' ARG8=''

What am I doing wrong?

jonuwz
Influencer

awesome discovery.

0 Karma

jonuwz
Influencer

That command is whats used when an alert script fires.

When an alert fires and there's a script to run those variables are passed to the script, along with a session key which is read from STDIN.

For instance $4 is the saved search name - this can't be set because this isn't a saved search.

If you save your search, and create an alert trigger to call your script - it will work.

Edit 1

Or ... create the variables yourself.

Here the 1st argument is the number of results

* | head 1 | runshellscript echo.sh * | head 1 | runshellscript echo.sh [ search * | stats count | return count ] 2 3 4 5 6 7

and it puts this in bin/scripts/echo_output.txt :

'/opt/splunk/bin/scripts/echo.sh' 'count=64972' '2' '3' '4' '5' '6' '7' '/opt/splunk/var/run/splunk/dispatch/8/results.csv.gz' 'sessionKey=cedffc9ebc8cf266eb59a95156922ecd'

Worth noting ..

The script doesn't run against each row.

Edit 2

This is actually very, very cool

providing you're careful with your search you can pass search results directly into the script.

 * | stats values(sourcetype) as types 
 | eval stuff=mvjoin(types,",")
 | map search="| runshellscript echo.sh \"$stuff$\" 2 3 4 5 6 7 8"

Now echo.sh gets a comma delimited list of sourcetypes as the 1st argument.

testadrianbelen
New Member

does runscript command only works in alerts? so I should create a search query, which has runscript command, in http://splunk.xyz/en-US/app/search/search and then save it as alert?.

I have directly tried this command in search GUI to saved the result but it does not return the results.csv.gz.

  • | head 1 | runshellscript test.py [ search * | stats count | return count ] 2 3 4 5 6 7 /var/www
0 Karma

testadrianbelen
New Member

I also saved the search as alert but it also does not work 😞

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...