Re: Invoke a script from alert action

rajagurup · ‎03-26-2020

Hi As run a script invoked from alert action is deprecated I tried to custom alert action to a script bit it is not working. Below os the conf. test is the stanza name and test.sh is the script name which I kept in bin folder. Please help on this.

alert_action.conf
[test]
is_custom = 1
label = Custom Alert Action
description = Triggers a custom alert action
icon_path = appIcon.png
alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh
disabled=0

manjunathmeti · ‎03-29-2020

Hi @rajaguru27902,

Check my answer https://answers.splunk.com/answers/810829/problem-with-scripted-alert.html#answer-810832 for steps to create an app for custom alert action.

rajaguru27902 · ‎03-27-2020

Pls help on this with the configuration

harsmarvania57 · ‎03-27-2020

Hi,

Remove alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh and try to run schedule search because your stanza name and execution script has same name & here I am assuming alert_actions.conf and test.sh is in same app 0_script_test

rajagurup · ‎03-31-2020

Hi ,

Can you create an app with UI same like Run the script(deprecated) by Splunk in such a way that we dont get warning and select the filename of the script we want as an alert action

rajaguru27902 · ‎03-27-2020

No it is not working. And how my scheduled search knows this script test.sh has to be trieggered. That is where I stuck as well. My savedsearches.conf. Can you coordinate both and write the two conf files. Thanks.

[Test]
alert.suppress = 1
alert.suppress.period = 100s
alert.track = 1
counttype = number of events
cron_schedule = */5 * * * *
disabled = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.visualizations.custom.treemap_app.treemap.showLabels = 1
display.visualizations.custom.treemap_app.treemap.showLegend = 1
display.visualizations.custom.treemap_app.treemap.showTooltip = 1
display.visualizations.custom.treemap_app.treemap.useColors = 1
display.visualizations.custom.treemap_app.treemap.useZoom = 1
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=_internal " error "  debug source=*splunkd.log*
#action.test_scrip.param.search_query = index=_internal " error "  debug source=*splunkd.log*

rajaguru27902 · ‎03-27-2020

My requirement is whenever above saved search is trigerring alert test.sh should be invoked but not in the method of >Run the script(deprecated method)

harsmarvania57 · ‎03-27-2020

When you create schedule search, you need to select your alert action under Trigger Actions -> Add Actions. Can you please provide your app directory and file structure for your alert actions ?

rajaguru27902 · ‎03-27-2020

How to do that. I could not find that option. Could you please help me?

harsmarvania57 · ‎03-27-2020

It looks like you created report, you need to create alert under Settings -> Searches, report and alerts -> New Alert. In which you'll able to find this.

Also I am not sure whether you created Custom Alert Action properly or not so I'll suggest you to go through docs https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro

rajaguru27902 · ‎03-29-2020

Hi, I created a mod input example but I could not make it work. Could you please create an app(mod input) and write the alert_actions.conf and savedsearches.conf. Your help is much ap[[reciated.

rajaguru27902 · ‎03-30-2020

It worked. Thank you so much.

Invoke a script from alert action

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation