Alerting

Invoke a script from alert action

rajagurup
New Member

Hi As run a script invoked from alert action is deprecated I tried to custom alert action to a script bit it is not working. Below os the conf. test is the stanza name and test.sh is the script name which I kept in bin folder. Please help on this.

alert_action.conf
[test]
is_custom = 1
label = Custom Alert Action
description = Triggers a custom alert action
icon_path = appIcon.png
alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh
disabled=0
Tags (1)
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Hi @rajaguru27902,

Check my answer https://answers.splunk.com/answers/810829/problem-with-scripted-alert.html#answer-810832 for steps to create an app for custom alert action.

0 Karma

rajaguru27902
New Member

Pls help on this with the configuration

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Remove alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh and try to run schedule search because your stanza name and execution script has same name & here I am assuming alert_actions.conf and test.sh is in same app 0_script_test

0 Karma

rajagurup
New Member

Hi ,

Can you create an app with UI same like Run the script(deprecated) by Splunk in such a way that we dont get warning and select the filename of the script we want as an alert action

0 Karma

rajaguru27902
New Member

No it is not working. And how my scheduled search knows this script test.sh has to be trieggered. That is where I stuck as well. My savedsearches.conf. Can you coordinate both and write the two conf files. Thanks.

[Test]
alert.suppress = 1
alert.suppress.period = 100s
alert.track = 1
counttype = number of events
cron_schedule = */5 * * * *
disabled = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.visualizations.custom.treemap_app.treemap.showLabels = 1
display.visualizations.custom.treemap_app.treemap.showLegend = 1
display.visualizations.custom.treemap_app.treemap.showTooltip = 1
display.visualizations.custom.treemap_app.treemap.useColors = 1
display.visualizations.custom.treemap_app.treemap.useZoom = 1
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=_internal " error "  debug source=*splunkd.log*
#action.test_scrip.param.search_query = index=_internal " error "  debug source=*splunkd.log*
0 Karma

rajaguru27902
New Member

My requirement is whenever above saved search is trigerring alert test.sh should be invoked but not in the method of >Run the script(deprecated method)

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

When you create schedule search, you need to select your alert action under Trigger Actions -> Add Actions. Can you please provide your app directory and file structure for your alert actions ?

0 Karma

rajaguru27902
New Member

How to do that. I could not find that option. Could you please help me?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

It looks like you created report, you need to create alert under Settings -> Searches, report and alerts -> New Alert. In which you'll able to find this.

Also I am not sure whether you created Custom Alert Action properly or not so I'll suggest you to go through docs https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro

0 Karma

rajaguru27902
New Member

Hi, I created a mod input example but I could not make it work. Could you please create an app(mod input) and write the alert_actions.conf and savedsearches.conf. Your help is much ap[[reciated.

0 Karma

rajaguru27902
New Member

It worked. Thank you so much.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...