Solved: How to create Custom Alert action shell script?

harsmarvania57 · ‎02-13-2017

Hi,

Currently I am creating a Custom Alert action script as per documentation http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomAlertScript but I would like to create Shell script instead of Python script.

In shell script to fetch payload I am using read sessionKey in shell script, is this correct way ?? Or Do I need to use some other code to fetch payload value in shell script?

Thanks,
Harshil

jkat54 · ‎03-01-2017

You'll need to read in the arguments via stdin.

Please see this link for just about everything you need and let us know if you get stuck:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Configuringscriptedalerts

The downside to using a bash script as an alert action is that you only get those 7 arguments. To read the results you have to read & manipulate the data file who's path is provided by the 8th argument.

Cheers!

View solution in original post

jkat54 · ‎03-01-2017

You'll need to read in the arguments via stdin.

Please see this link for just about everything you need and let us know if you get stuck:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Configuringscriptedalerts

The downside to using a bash script as an alert action is that you only get those 7 arguments. To read the results you have to read & manipulate the data file who's path is provided by the 8th argument.

Cheers!

splunkettes · ‎08-03-2023

I realize this is a dated post but is closely aligned with the issue I am having with my shell script custom alert action.. Please elaborate on how you read in the stdin arguments to the shell script. I copied the sample script in the docs. The alert triggers the script and will print the $0 but the rest of the variables are null. Do I need to list the SPLUNK_ARG_x variables out in the alert_actions.conf?

harsmarvania57 · ‎03-01-2017

Currently in script I am using SPLUNK_ARG_1 ... 8 and that script I am using in "run a script alert action" & it is working fine but the feature is deprecated now.

So I have new script based on "Custom Alert Action" but I can use only read sessionKey as STDIN in Shell Script

I am getting Payload via this script

#!/bin/bash
if [[ "$1" == "--execute" ]]; then
    read sessionKey
    echo $sessionKey > /tmp/payload_output.txt
fi

But If I use other variables in script those are not working/no output.

#!/bin/bash
if [[ "$1" == "--execute" ]]; then
    read SPLUNK_ARG_0
    echo $SPLUNK_ARG_0 > /tmp/payload_output.txt
    echo $SPLUNK_ARG_1 >>  /tmp/payload_output.txt
fi

So my question is read sessionKey which I am using in first script and I am getting payload value, so is this correct method to fetch payload value in Custom Alert Action script ?

Thanks,
Harshil

jkat54 · ‎03-01-2017

Are you looking for the search results?

If so there will be a file on a path specified by argument 8. You must use your script to read this file and use it as the payload.

harsmarvania57 · ‎03-01-2017

While using argument in script based on this http://docs.splunk.com/Documentation/Splunk/6.4.5/AdvancedDev/CustomAlertScript , those arguments (SPLUNK_ARG_0 ... 😎 are not working.

jkat54 · ‎03-01-2017

Ok I understand your question now. Yes you are doing it correctly except I wouldn't call the payload sessionKey I would call it payload:

 read payload

harsmarvania57 · ‎03-01-2017

Perfect. working fine, Thanks. I am not able to convert your last comment as Answer, so accepting first answer as Answer.

Thanks,
Harshil

jkat54 · ‎03-01-2017

Hey you did see in alert_actions.conf where you can change the payload format to xml or JSON I hope!

harsmarvania57 · ‎03-01-2017

Yes, I already converted into JSON format in alert_actions.conf

How to create Custom Alert action shell script?

alert condition

email

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application