Hi As run a script invoked from alert action is deprecated I tried to custom alert action to a script bit it is not working. Below os the conf. test is the stanza name and test.sh is the script name which I kept in bin folder. Please help on this.
alert_action.conf
[test]
is_custom = 1
label = Custom Alert Action
description = Triggers a custom alert action
icon_path = appIcon.png
alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh
disabled=0
Hi @rajaguru27902,
Check my answer https://answers.splunk.com/answers/810829/problem-with-scripted-alert.html#answer-810832 for steps to create an app for custom alert action.
Pls help on this with the configuration
Hi,
Remove alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh
and try to run schedule search because your stanza name and execution script has same name & here I am assuming alert_actions.conf and test.sh is in same app 0_script_test
Hi ,
Can you create an app with UI same like Run the script(deprecated) by Splunk in such a way that we dont get warning and select the filename of the script we want as an alert action
No it is not working. And how my scheduled search knows this script test.sh has to be trieggered. That is where I stuck as well. My savedsearches.conf. Can you coordinate both and write the two conf files. Thanks.
[Test]
alert.suppress = 1
alert.suppress.period = 100s
alert.track = 1
counttype = number of events
cron_schedule = */5 * * * *
disabled = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.visualizations.custom.treemap_app.treemap.showLabels = 1
display.visualizations.custom.treemap_app.treemap.showLegend = 1
display.visualizations.custom.treemap_app.treemap.showTooltip = 1
display.visualizations.custom.treemap_app.treemap.useColors = 1
display.visualizations.custom.treemap_app.treemap.useZoom = 1
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=_internal " error " debug source=*splunkd.log*
#action.test_scrip.param.search_query = index=_internal " error " debug source=*splunkd.log*
My requirement is whenever above saved search is trigerring alert test.sh should be invoked but not in the method of >Run the script(deprecated method)
When you create schedule search, you need to select your alert action under Trigger Actions -> Add Actions
. Can you please provide your app directory and file structure for your alert actions ?
How to do that. I could not find that option. Could you please help me?
It looks like you created report, you need to create alert under Settings -> Searches, report and alerts -> New Alert. In which you'll able to find this.
Also I am not sure whether you created Custom Alert Action properly or not so I'll suggest you to go through docs https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro
Hi, I created a mod input example but I could not make it work. Could you please create an app(mod input) and write the alert_actions.conf and savedsearches.conf. Your help is much ap[[reciated.
It worked. Thank you so much.