The link http://docs.splunk.com/Documentation/Splunk/6.4.2/Alert/Configuringscriptedalerts states that the feature is deprecated and have to use the "run a script" from the Alert Actions. I haven't tried that yet, hence I wanted to see if someone has already tried using that option so that they can help me on how to go about setting that up. Its an urgent requirement . Please help
 
		
		
		
		
		
	
			
		
		
			
					
		The "run a script" action is definitely deprecated, but does still work. I have used it a few times with some old scripts I built and they still work fine.
You definitely should look at the custom alert action framework if you are hoping to build a long-term solution.
This blog post is a great place to get started as it shows you how to use the Splunk add-on builder to create an alert action:
http://blogs.splunk.com/2016/10/24/creating-mcafee-epo-alert-and-arf-actions-with-add-on-builder/
These also cover how to build them in detail:
http://blogs.splunk.com/2016/08/22/how-to-create-a-modular-alert/
http://blogs.splunk.com/2015/10/05/scheduled-export-of-indexed-data/
Also you could download any one of the alert actions on splunkbase to pull them apart and see how they are built:
https://splunkbase.splunk.com/apps/#/app_content/alert_actions
 
		
		
		
		
		
	
			
		
		
			
					
		The "run a script" action is definitely deprecated, but does still work. I have used it a few times with some old scripts I built and they still work fine.
You definitely should look at the custom alert action framework if you are hoping to build a long-term solution.
This blog post is a great place to get started as it shows you how to use the Splunk add-on builder to create an alert action:
http://blogs.splunk.com/2016/10/24/creating-mcafee-epo-alert-and-arf-actions-with-add-on-builder/
These also cover how to build them in detail:
http://blogs.splunk.com/2016/08/22/how-to-create-a-modular-alert/
http://blogs.splunk.com/2015/10/05/scheduled-export-of-indexed-data/
Also you could download any one of the alert actions on splunkbase to pull them apart and see how they are built:
https://splunkbase.splunk.com/apps/#/app_content/alert_actions
Thanks for the info - I will check them and try to get some understanding and create a custom script. Do you have an example for Windows based scripting , the user is specifically looking for Windows based logs ?
 
					
				
		
If your search heads are on linux, then the windows script is not going to work. The scripted action will be occurring on the search head instance where the alert is triggered.
Ah! We have Search heads/indexers on Linux, the user who requested for the scripts is having there application logs on Windows , is there no other way to do it , I just wanted to provide the updated to the user so that I can close out the conversation with the user.
 
		
		
		
		
		
	
			
		
		
			
					
		It all comes down to what you want your scripted action to do, but generally, anything is possible with the right tools and desire to accomplish the task.
If the alert action lives on linux SH and the scripts need to run against a windows box, you will need to get creative to facilitate that, but it's nothing an ssh server on the windows box can't accomplish. (ie.ssh to windows box, and kick off a windows script that lives on the machine)
Just depends on scale, appetite for creativity, etc etc.
 
					
				
		
Not natively as this is not something the operating system can do. I'll reach out offline in case I can help with that discussion to the user.
 
					
				
		
I've not tried it but it should work. Regardless, as suggested in the same link, you should use Custom alert actions which is more scalable/robust way to achieving the same. The custom alert action also supports running custom scripts.
