Alerting

ERROR ScriptRunner - stderr from 'C:\Splunk\etc\apps\search\bin\runshellscript.py': ImportError: No module named site

Engager

I config a scripted alert, then i put the myalert.py into $SPLUNK_HOME\bin\scripts. But when alert is trigger, the script execute error(in splunkd.log):
ERROR ScriptRunner - stderr from 'C:\Splunk\etc\apps\search\bin\runshellscript.py': ImportError: No module named site

Splunk Version is 4.3.0
Why?

Thanks lots.

SavedSearch:
[WebServerMini-alert-script]
action.email.inline = 1
action.email.reportServerEnabled = 0
action.script = 1
action.script.filename = myalert.py
alert.digest_mode = True
alert.severity = 4
alert.suppress = 0
alert.suppress.period = 5s
alert.track = 1
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = -1m@m
dispatch.latest_time = @m
displayview = flashtimeline
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = flashtimeline
search = index=fschangemonitor sourcetype="WINSERVER1-Web-Mini"
vsid = gz0wf600

myalert.py:
import sys

f = open("argv.txt", "w")
for var in sys.argv:
f.write(var + "\n")
f.close()

Tags (2)
0 Karma

Engager

I solved the question.

I put the myalert.py into the %SPLUNK_HOME%\etc\app\search\bin directory, then edit the %SPLUNK_HOME%\etc\app\search\default\commands.conf, add the following section:

[myalert]
filename = myalert.py

then the script running correct where the alert is triggered.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!