Alerting

How to - Custom alert action (passing arguments to custom scripts)

mbagali_splunk
Splunk Employee
Splunk Employee

How to use a custom script in alert actions and pass arguments to it when the alert is triggered

Tags (1)
0 Karma
1 Solution

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash
echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI
label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution
alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

View solution in original post

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash
echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI
label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution
alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

rvany
Communicator

If you just name your script custom_script.sh - using exactly the phrase from the corresponding alerts_action.conf stanza, the bash.path file and the alert.execute.* entries in alert_actions.conf are not necessary.

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash

echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI

label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution

alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...