Alerting

How to create Custom Alert action shell script?

harsmarvania57
Ultra Champion

Hi,

Currently I am creating a Custom Alert action script as per documentation http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomAlertScript but I would like to create Shell script instead of Python script.

In shell script to fetch payload I am using read sessionKey in shell script, is this correct way ?? Or Do I need to use some other code to fetch payload value in shell script?

Thanks,
Harshil

Labels (2)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

You'll need to read in the arguments via stdin.

Please see this link for just about everything you need and let us know if you get stuck:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Configuringscriptedalerts

The downside to using a bash script as an alert action is that you only get those 7 arguments. To read the results you have to read & manipulate the data file who's path is provided by the 8th argument.

Cheers!

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

You'll need to read in the arguments via stdin.

Please see this link for just about everything you need and let us know if you get stuck:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Configuringscriptedalerts

The downside to using a bash script as an alert action is that you only get those 7 arguments. To read the results you have to read & manipulate the data file who's path is provided by the 8th argument.

Cheers!

0 Karma

splunkettes
Path Finder

I realize this is a dated post but is closely aligned with the issue I am having with my shell script custom alert action.. Please elaborate on how you read in the stdin arguments to the shell script. I copied the sample script in the docs. The alert triggers the script and will print the $0 but the rest of the variables are null. Do I need to list the SPLUNK_ARG_x variables out in the alert_actions.conf?

0 Karma

harsmarvania57
Ultra Champion

Currently in script I am using SPLUNK_ARG_1 ... 8 and that script I am using in "run a script alert action" & it is working fine but the feature is deprecated now.

So I have new script based on "Custom Alert Action" but I can use only read sessionKey as STDIN in Shell Script

I am getting Payload via this script

#!/bin/bash
if [[ "$1" == "--execute" ]]; then
    read sessionKey
    echo $sessionKey > /tmp/payload_output.txt
fi

But If I use other variables in script those are not working/no output.

#!/bin/bash
if [[ "$1" == "--execute" ]]; then
    read SPLUNK_ARG_0
    echo $SPLUNK_ARG_0 > /tmp/payload_output.txt
    echo $SPLUNK_ARG_1 >>  /tmp/payload_output.txt
fi

So my question is read sessionKey which I am using in first script and I am getting payload value, so is this correct method to fetch payload value in Custom Alert Action script ?

Thanks,
Harshil

0 Karma

jkat54
SplunkTrust
SplunkTrust

Are you looking for the search results?

If so there will be a file on a path specified by argument 8. You must use your script to read this file and use it as the payload.

0 Karma

harsmarvania57
Ultra Champion

While using argument in script based on this http://docs.splunk.com/Documentation/Splunk/6.4.5/AdvancedDev/CustomAlertScript , those arguments (SPLUNK_ARG_0 ... 😎 are not working.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Ok I understand your question now. Yes you are doing it correctly except I wouldn't call the payload sessionKey I would call it payload:

 read payload
0 Karma

harsmarvania57
Ultra Champion

Perfect. working fine, Thanks. I am not able to convert your last comment as Answer, so accepting first answer as Answer.

Thanks,
Harshil

0 Karma

jkat54
SplunkTrust
SplunkTrust

Hey you did see in alert_actions.conf where you can change the payload format to xml or JSON I hope!

0 Karma

harsmarvania57
Ultra Champion

Yes, I already converted into JSON format in alert_actions.conf

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...