Alerting

How to configure custom alert for run python script

jacruzs
Explorer

Hi,

I have some problem with run python script in custom alert. I have the next file

alert_actions.conf
[DigitalTwingKeepwareCRC]
is_custom = 1
label = "Monitoreo de molino de Rio Claro"
description = "Ejecuta acciones sobre el molino de Rio Claro"
payload_format = json
param.result_count = $job.resultCount$
param.search_query = $job.search$
param.results = results_link
alert.execute.cmd = python
alert.execute.cmd.arg.0 = $SPLUNK_HOME$/etc/apps/DTw_CRC/bin/iotgateway/test.py
alert.execute.cmd.arg.1 = --execute

but in the _internal index I get the next event

ERROR sendmodalert - action=DigitalTwingKeepwareCRC - Failed to find alert.execute.cmd "python".

Please, help me

0 Karma

harsmarvania57
Ultra Champion

Hi,

In alert.execute.cmd you need to provide *.path file.

  1. Create $SPLUNK_HOME$/etc/apps/DTw_CRC/linux_x86_64/bin/directory.
  2. Create python.path file with below config and provide execute permission with chmod 750 python.path

    "$SPLUNK_HOME/bin/splunk" cmd python

  3. Use below config in alert_actions.conf
    [DigitalTwingKeepwareCRC]
    is_custom = 1
    label = "Monitoreo de molino de Rio Claro"
    description = "Ejecuta acciones sobre el molino de Rio Claro"
    payload_format = json
    param.result_count = $job.resultCount$
    param.search_query = $job.search$
    param.results = results_link
    alert.execute.cmd = python.path
    alert.execute.cmd.arg.0 = $SPLUNK_HOME$/etc/apps/DTw_CRC/bin/iotgateway/test.py
    alert.execute.cmd.arg.1 = --execute

0 Karma

jacruzs
Explorer

Hi,

I created $SPLUNK_HOME$/etc/apps/DTw_CRC/linux_x86_64/bin/ directory.

In the last location, I created python.path file, and in this file write "$SPLUNK_HOME/bin/splunk" cmd python

I edited alert_actions.conf

But I get the next error:

04-01-2019 13:05:01.910 0000 ERROR sendmodalert - action=DigitalTwingKeepwareCRC - Failed to find alert.execute.cmd "python.path".

What's my error?

0 Karma

harsmarvania57
Ultra Champion

I have tested above config in my lab and failed but below config is working fine.

Please change $SPLUNK_HOME$/etc/apps/DTw_CRC/linux_x86_64/bin/python.path with below config

$SPLUNK_HOME/bin/python

Add below config in $SPLUNK_HOME$/etc/apps/DTw_CRC/metadata/default.meta

[alert_actions/DigitalTwingKeepwareCRC]
access = read : [ * ], write : [ admin ]
export = system
owner = nobody
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...