Alerting

How to pass hostname to a custom alert script?

jpolcari
Communicator

I have an alert setup that finds an error which indicates that a service must be restarted. When the alert triggers, I would like for a script to run that restarts the service on the specific host that service failed on. I saw in the link below that you can pass custom arguments such as a fieldvalue. Is it possible to pass these arguments to a script? I'm interested in grabbing the hostname of the system so I can reference it in my script. This is a Windows environment so I would most likely be using a .bat file to restart the service.

http://docs.splunk.com/Documentation/Splunk/6.4.1/AdvancedDev/ModAlertsLog

0 Karma

jkat54
SplunkTrust
SplunkTrust

Since Cuyose’s script was executing on a full splunk server (not a UF/LWF), Cuyose had python at hid disposal and didn’t use a .bat file. Instead he used python and the documentation found here to create a custom alert action.

http://docs.splunk.com/Documentation/Splunk/7.1.2/AdvancedDev/ModAlertsIntro

To do this with a batch script, you have to use the results gzip tar file and your own code to pull fields out.

The tar.gz is explained here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Alert/Configuringscriptedalerts

You’re wasting your time doing this in batch scripts if you ask me... you should be doing a python mod alert or SPL command.

0 Karma

AniPrag
Engager

Thanks for responding, However the problem is not resolved yet
In alert_actions.conf ($Splunk_Home$\etc\system\local) file i am adding below
param.name = $result.HostName$
but its showing invalid stanza and i am calling the same in script as shown below
hostname=settings.get(name)

but still the stanze problem is not done..
m i doing some thing wrong...

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you want help I suggest you post your own question and show the code you’re using too. We can’t troubleshoot two issues on one thread as these may be very different custom code problems.

0 Karma

jkat54
SplunkTrust
SplunkTrust

My apologies, I thought the original poster answered their own question.

0 Karma

AniPrag
Engager

Any update ?

0 Karma

Cuyose
Builder

I figured this out. in order for these variables to be used from the resultset I had to declare these variables in the alert_actions.conf, then restart. I then could add the information by calling the variable value with setting.get from the action script.

alert_actions.conf
param.results_team = $result.team$

action.py
team = settings.get('results_team')

jashman
Engager

Hi Cuyose,
I am trying something similar to this and am having trouble getting the variable to pass across. Do you mind sharing some more of the code in action.py so we can see how this is done?

0 Karma

alvaro_garcia
Explorer

any update?

0 Karma

AniPrag
Engager

Any update

0 Karma

jpolcari
Communicator

Still having some issues with this. Any ideas?

0 Karma

AniPrag
Engager

did you get any answer

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you have host name (where the service failed) available as a field in your resultset? If you do, you can use $result.<hostfieldname>$ in your script.

0 Karma

jpolcari
Communicator

I attempted to add $result.host$to the .bat and just have the script print it to a file. The script ran but it only printed "$result.host$" to the text document. I also tried the same but with % isntead of $ but that time it only printed Echo is on. Am I missing something? The script is placed in %SPLUNK_HOME%\bin\scripts.

0 Karma

jpolcari
Communicator

Thank you, the host name is available. I'll give this a shot.

0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...