How to pass hostname to a custom alert script?

jpolcari · ‎06-06-2016

I have an alert setup that finds an error which indicates that a service must be restarted. When the alert triggers, I would like for a script to run that restarts the service on the specific host that service failed on. I saw in the link below that you can pass custom arguments such as a fieldvalue. Is it possible to pass these arguments to a script? I'm interested in grabbing the hostname of the system so I can reference it in my script. This is a Windows environment so I would most likely be using a .bat file to restart the service.

http://docs.splunk.com/Documentation/Splunk/6.4.1/AdvancedDev/ModAlertsLog

jkat54 · ‎08-05-2018

Since Cuyose’s script was executing on a full splunk server (not a UF/LWF), Cuyose had python at hid disposal and didn’t use a .bat file. Instead he used python and the documentation found here to create a custom alert action.

http://docs.splunk.com/Documentation/Splunk/7.1.2/AdvancedDev/ModAlertsIntro

To do this with a batch script, you have to use the results gzip tar file and your own code to pull fields out.

The tar.gz is explained here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Alert/Configuringscriptedalerts

You’re wasting your time doing this in batch scripts if you ask me... you should be doing a python mod alert or SPL command.

AniPrag · ‎08-05-2018

Thanks for responding, However the problem is not resolved yet
In alert_actions.conf ($Splunk_Home$\etc\system\local) file i am adding below
param.name = $result.HostName$
but its showing invalid stanza and i am calling the same in script as shown below
hostname=settings.get(name)

but still the stanze problem is not done..
m i doing some thing wrong...

jkat54 · ‎08-05-2018

If you want help I suggest you post your own question and show the code you’re using too. We can’t troubleshoot two issues on one thread as these may be very different custom code problems.

jkat54 · ‎08-05-2018

My apologies, I thought the original poster answered their own question.

AniPrag · ‎08-05-2018

Any update ?

Cuyose · ‎03-14-2017

I figured this out. in order for these variables to be used from the resultset I had to declare these variables in the alert_actions.conf, then restart. I then could add the information by calling the variable value with setting.get from the action script.

alert_actions.conf
param.results_team = $result.team$

action.py
team = settings.get('results_team')

jashman · ‎12-04-2017

Hi Cuyose,
I am trying something similar to this and am having trouble getting the variable to pass across. Do you mind sharing some more of the code in action.py so we can see how this is done?

alvaro_garcia · ‎12-20-2017

any update?

AniPrag · ‎08-05-2018

Any update

jpolcari · ‎06-14-2016

Still having some issues with this. Any ideas?

AniPrag · ‎08-05-2018

did you get any answer

somesoni2 · ‎06-06-2016

Do you have host name (where the service failed) available as a field in your resultset? If you do, you can use $result.<hostfieldname>$ in your script.

jpolcari · ‎06-06-2016

I attempted to add $result.host$ to the .bat and just have the script print it to a file. The script ran but it only printed "$result.host$" to the text document. I also tried the same but with % isntead of $ but that time it only printed Echo is on. Am I missing something? The script is placed in %SPLUNK_HOME%\bin\scripts.

jpolcari · ‎06-06-2016

Thank you, the host name is available. I'll give this a shot.

jkat54 · ‎06-06-2016

This is worth a bookmark too: http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Configuringscriptedalerts

How to pass hostname to a custom alert script?

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!