I want to restart a remote Windows service from a Splunk search alert script. How do I pass the server name to the script? Is it possible using PowerShell? Do I need to use the same service account running the splunkforwarder service on the client as is running on the SPlunk search head.
to answer your question, you cannot pass the host name directly to the script. But you can pass some other arguments to the script, like http://docs.splunk.com/Documentation/Splunk/6.2.3/Alert/Configuringscriptedalerts :
Arg Env Variable Value 0 SPLUNK_ARG_0 Script name 1 SPLUNK_ARG_1 Number of events returned 2 SPLUNK_ARG_2 Search terms 3 SPLUNK_ARG_3 Fully qualified query string 4 SPLUNK_ARG_4 Name of report 5 SPLUNK_ARG_5 Trigger reason 6 SPLUNK_ARG_6 Browser URL to view the report. 7 SPLUNK_ARG_7 Not used for historical reasons. 8 SPLUNK_ARG_8 File in which the results for the search are stored. Contains raw results.
The last one is the best one to use in your script and read the
host from the result and do what ever needed to be done with it.
Hope that helps ...
The OP have asked
How do I pass the server name to the script? so how can this not be the answer to this question?
NO. How do you USE SPLUNK to restart a service running on a remote server in the network?,I don't want to restart Splunk Enterprise, I want SPLUNK ENTERPRISE to restart a remote service.
I want to set an event for a specific app Service, running on a VMWARE 5 Microsoft Windows 2012R2 Guest, we are monitoring with Splunk to restart the application service (Image Gateway) when the logfile shows the service went to sleep (due to fax server comm loss).
you might want to check the alert action section in the docs https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro to read what is possible. The most important question would be how you can restart the service remotely and how it can be scripted.
Another option would be to check out https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html which is purpose built for such use cases.
Hope this helps ...
Thank you, I will take a look...
But specifically I am trying to determine HOW Splunk restarts an application service (NOT a SPLUNK service) from a forwarder.
Does it do an RPC call?
Does it use Powershell?
Does it use the Incoming port 8089?