Alerting

How to run a script as an alert action?

bhavesh91
New Member

The link http://docs.splunk.com/Documentation/Splunk/6.4.2/Alert/Configuringscriptedalerts states that the feature is deprecated and have to use the "run a script" from the Alert Actions. I haven't tried that yet, hence I wanted to see if someone has already tried using that option so that they can help me on how to go about setting that up. Its an urgent requirement . Please help

0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

The "run a script" action is definitely deprecated, but does still work. I have used it a few times with some old scripts I built and they still work fine.

You definitely should look at the custom alert action framework if you are hoping to build a long-term solution.

This blog post is a great place to get started as it shows you how to use the Splunk add-on builder to create an alert action:

http://blogs.splunk.com/2016/10/24/creating-mcafee-epo-alert-and-arf-actions-with-add-on-builder/

These also cover how to build them in detail:

http://blogs.splunk.com/2016/08/22/how-to-create-a-modular-alert/

http://blogs.splunk.com/2015/10/05/scheduled-export-of-indexed-data/

Also you could download any one of the alert actions on splunkbase to pull them apart and see how they are built:

https://splunkbase.splunk.com/apps/#/app_content/alert_actions

- MattyMo

View solution in original post

mattymo
Splunk Employee
Splunk Employee

The "run a script" action is definitely deprecated, but does still work. I have used it a few times with some old scripts I built and they still work fine.

You definitely should look at the custom alert action framework if you are hoping to build a long-term solution.

This blog post is a great place to get started as it shows you how to use the Splunk add-on builder to create an alert action:

http://blogs.splunk.com/2016/10/24/creating-mcafee-epo-alert-and-arf-actions-with-add-on-builder/

These also cover how to build them in detail:

http://blogs.splunk.com/2016/08/22/how-to-create-a-modular-alert/

http://blogs.splunk.com/2015/10/05/scheduled-export-of-indexed-data/

Also you could download any one of the alert actions on splunkbase to pull them apart and see how they are built:

https://splunkbase.splunk.com/apps/#/app_content/alert_actions

- MattyMo

bhavesh91
New Member

Thanks for the info - I will check them and try to get some understanding and create a custom script. Do you have an example for Windows based scripting , the user is specifically looking for Windows based logs ?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

If your search heads are on linux, then the windows script is not going to work. The scripted action will be occurring on the search head instance where the alert is triggered.

bhavesh91
New Member

Ah! We have Search heads/indexers on Linux, the user who requested for the scripts is having there application logs on Windows , is there no other way to do it , I just wanted to provide the updated to the user so that I can close out the conversation with the user.

0 Karma

mattymo
Splunk Employee
Splunk Employee

It all comes down to what you want your scripted action to do, but generally, anything is possible with the right tools and desire to accomplish the task.

If the alert action lives on linux SH and the scripts need to run against a windows box, you will need to get creative to facilitate that, but it's nothing an ssh server on the windows box can't accomplish. (ie.ssh to windows box, and kick off a windows script that lives on the machine)

Just depends on scale, appetite for creativity, etc etc.

- MattyMo
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Not natively as this is not something the operating system can do. I'll reach out offline in case I can help with that discussion to the user.

0 Karma

somesoni2
Revered Legend

I've not tried it but it should work. Regardless, as suggested in the same link, you should use Custom alert actions which is more scalable/robust way to achieving the same. The custom alert action also supports running custom scripts.

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>