Hi,
Currently I am creating a Custom Alert action script as per documentation http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomAlertScript but I would like to create Shell script instead of Python script.
In shell script to fetch payload I am using read sessionKey
in shell script, is this correct way ?? Or Do I need to use some other code to fetch payload value in shell script?
Thanks,
Harshil
You'll need to read in the arguments via stdin.
Please see this link for just about everything you need and let us know if you get stuck:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Configuringscriptedalerts
The downside to using a bash script as an alert action is that you only get those 7 arguments. To read the results you have to read & manipulate the data file who's path is provided by the 8th argument.
Cheers!
You'll need to read in the arguments via stdin.
Please see this link for just about everything you need and let us know if you get stuck:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Configuringscriptedalerts
The downside to using a bash script as an alert action is that you only get those 7 arguments. To read the results you have to read & manipulate the data file who's path is provided by the 8th argument.
Cheers!
I realize this is a dated post but is closely aligned with the issue I am having with my shell script custom alert action.. Please elaborate on how you read in the stdin arguments to the shell script. I copied the sample script in the docs. The alert triggers the script and will print the $0 but the rest of the variables are null. Do I need to list the SPLUNK_ARG_x variables out in the alert_actions.conf?
Currently in script I am using SPLUNK_ARG_1 ... 8 and that script I am using in "run a script alert action" & it is working fine but the feature is deprecated now.
So I have new script based on "Custom Alert Action" but I can use only read sessionKey
as STDIN in Shell Script
I am getting Payload via this script
#!/bin/bash
if [[ "$1" == "--execute" ]]; then
read sessionKey
echo $sessionKey > /tmp/payload_output.txt
fi
But If I use other variables in script those are not working/no output.
#!/bin/bash
if [[ "$1" == "--execute" ]]; then
read SPLUNK_ARG_0
echo $SPLUNK_ARG_0 > /tmp/payload_output.txt
echo $SPLUNK_ARG_1 >> /tmp/payload_output.txt
fi
So my question is read sessionKey
which I am using in first script and I am getting payload value, so is this correct method to fetch payload value in Custom Alert Action script ?
Thanks,
Harshil
Are you looking for the search results?
If so there will be a file on a path specified by argument 8. You must use your script to read this file and use it as the payload.
While using argument in script based on this http://docs.splunk.com/Documentation/Splunk/6.4.5/AdvancedDev/CustomAlertScript , those arguments (SPLUNK_ARG_0 ... 😎 are not working.
Ok I understand your question now. Yes you are doing it correctly except I wouldn't call the payload sessionKey I would call it payload:
read payload
Perfect. working fine, Thanks. I am not able to convert your last comment as Answer, so accepting first answer as Answer.
Thanks,
Harshil
Hey you did see in alert_actions.conf where you can change the payload format to xml or JSON I hope!
Yes, I already converted into JSON format in alert_actions.conf