Alerting

How to run a script as an alert action?

bhavesh91
New Member

The link http://docs.splunk.com/Documentation/Splunk/6.4.2/Alert/Configuringscriptedalerts states that the feature is deprecated and have to use the "run a script" from the Alert Actions. I haven't tried that yet, hence I wanted to see if someone has already tried using that option so that they can help me on how to go about setting that up. Its an urgent requirement . Please help

0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

The "run a script" action is definitely deprecated, but does still work. I have used it a few times with some old scripts I built and they still work fine.

You definitely should look at the custom alert action framework if you are hoping to build a long-term solution.

This blog post is a great place to get started as it shows you how to use the Splunk add-on builder to create an alert action:

http://blogs.splunk.com/2016/10/24/creating-mcafee-epo-alert-and-arf-actions-with-add-on-builder/

These also cover how to build them in detail:

http://blogs.splunk.com/2016/08/22/how-to-create-a-modular-alert/

http://blogs.splunk.com/2015/10/05/scheduled-export-of-indexed-data/

Also you could download any one of the alert actions on splunkbase to pull them apart and see how they are built:

https://splunkbase.splunk.com/apps/#/app_content/alert_actions

- MattyMo

View solution in original post

mattymo
Splunk Employee
Splunk Employee

The "run a script" action is definitely deprecated, but does still work. I have used it a few times with some old scripts I built and they still work fine.

You definitely should look at the custom alert action framework if you are hoping to build a long-term solution.

This blog post is a great place to get started as it shows you how to use the Splunk add-on builder to create an alert action:

http://blogs.splunk.com/2016/10/24/creating-mcafee-epo-alert-and-arf-actions-with-add-on-builder/

These also cover how to build them in detail:

http://blogs.splunk.com/2016/08/22/how-to-create-a-modular-alert/

http://blogs.splunk.com/2015/10/05/scheduled-export-of-indexed-data/

Also you could download any one of the alert actions on splunkbase to pull them apart and see how they are built:

https://splunkbase.splunk.com/apps/#/app_content/alert_actions

- MattyMo

bhavesh91
New Member

Thanks for the info - I will check them and try to get some understanding and create a custom script. Do you have an example for Windows based scripting , the user is specifically looking for Windows based logs ?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

If your search heads are on linux, then the windows script is not going to work. The scripted action will be occurring on the search head instance where the alert is triggered.

bhavesh91
New Member

Ah! We have Search heads/indexers on Linux, the user who requested for the scripts is having there application logs on Windows , is there no other way to do it , I just wanted to provide the updated to the user so that I can close out the conversation with the user.

0 Karma

mattymo
Splunk Employee
Splunk Employee

It all comes down to what you want your scripted action to do, but generally, anything is possible with the right tools and desire to accomplish the task.

If the alert action lives on linux SH and the scripts need to run against a windows box, you will need to get creative to facilitate that, but it's nothing an ssh server on the windows box can't accomplish. (ie.ssh to windows box, and kick off a windows script that lives on the machine)

Just depends on scale, appetite for creativity, etc etc.

- MattyMo
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Not natively as this is not something the operating system can do. I'll reach out offline in case I can help with that discussion to the user.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I've not tried it but it should work. Regardless, as suggested in the same link, you should use Custom alert actions which is more scalable/robust way to achieving the same. The custom alert action also supports running custom scripts.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...