I am trying to set up an alert that runs a script after finding a result. For some reason, we see this error each time we try to run the script:
06-01-2020 13:20:09.091 -0500 ERROR ModularUtility - Specified filename "/opt/splunk/etc/apps/TA-S3Deleter/bin/s3_file_deleter.py" not found in search path. 06-01-2020 13:20:09.091 -0500 ERROR sendmodalert - action=s3_file_deleter - Failed to find alert.execute.cmd "/opt/splunk/etc/apps/TA-S3Deleter/bin/s3_file_deleter.py".
Here is how the alert_actions.conf is set up:
[s3_file_deleter] is_custom = 1 label = S3 File Deleter description = This action passes along a value in filePath to a python script that will delete a file in an S3 bucket. payload_format = json alert.execute.cmd = /opt/splunk/etc/apps/TA-S3Deleter/bin/s3_file_deleter.py
The script definitely exists in that directory. I've reviewed a lot of the documentation on this, and there is no good example for simply running a python script. Any insight would be greatly appreciated. Thanks.
Splunk does not allow random file paths in script commands. Just specify the name of the .py file in
alert.execute.cmd and Splunk will fill in the rest.
Thank you, Rich, that definitely got it to run. The python script checks for the --execute flag and shuts down if it doesn't see it. We modeled it after a Splunk example python script. Any idea how we should be passing the different arguments to the script? I just want to alert on a certain event and pass along a value from one of fields in that event. Let me know if I need to start a new Splunk Answer. Thanks again.
Nevermind, I think I found where you can define the arguments sent to the script here: https://docs.splunk.com/Documentation/Splunk/8.0.3/AdvancedDev/CustomAlertScript
[myjavaaction] . . . alert.execute.cmd = java.path alert.execute.cmd.arg.0 = -jar alert.execute.cmd.arg.1 = $SPLUNK_HOME/etc/apps/myapp/bin/my.jar alert.execute.cmd.arg.2 = --execute