Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How pull a file from host that triggered alert

batuhankutluca
Explorer
‎02-01-2020 11:17 PM

I've been searching for a way to pull a file from Splunk universal forwarder installed host, but couldn't find anything useful.

What I need is, after my specific alert is triggered, I need to pull a file from that host that triggered the alarm.

I created 1-2 custom alert actions so I'm familiar with that stuff simply.
Maybe running some python codes on the host can help me to upload that file to my server but I'm not sure with that.

Is there any other stuff that helps me with these problems?
Thanks in advance.

0 Karma
Reply

batuhankutluca
Explorer
‎02-03-2020 06:58 PM

Still looking for a way.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-02-2020 01:05 AM

Hi @batuhankutluca,
did you already tried to execute a script that pulls a file from when alert is fired?

Ciao.
Giuseppe

0 Karma
Reply

batuhankutluca
Explorer
‎02-02-2020 02:19 AM

Hi @gcusello

Actually I didn't try to do that because I don't know how to do it. Maybe setting up a ftp listener on my deployment server and running a python code that connects my server via ftp works. Just a thought tho, I don't even know if it is reasonable or not.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-04-2020 12:17 AM

Hi @batuhankutluca,
for my knowledge (I'm not an expert of scripting!) the only way is to execute a script that access the remote server and copy the file: I don't like this solution because it's a break in security!

A workaround: if the file to pull is a text file, you could index it in Splunk and put in a separate index, eventually with a low retention (to not have too storage), so you can have it when an alert is fired.

Ciao.
Giuseppe

0 Karma
Reply

batuhankutluca
Explorer
‎02-05-2020 05:02 AM

Hi @gcusello,
Thanks for your answer. It may be a txt file but not for the all events. I was looking for a splunk feature to do that but I guess there is not. I mean since we can run scripts on host via forwarder, I thought we can do more like fetching a file instead monitoring it. As you mentioned, it would be a security problem for enterprise 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...