Hi As run a script invoked from alert action is deprecated I tried to custom alert action to a script bit it is not working. Below os the conf. test is the stanza name and test.sh is the script name which I kept in bin folder. Please help on this.
alert_action.conf [test] is_custom = 1 label = Custom Alert Action description = Triggers a custom alert action icon_path = appIcon.png alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh disabled=0
alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh and try to run schedule search because your stanza name and execution script has same name & here I am assuming alert_actions.conf and test.sh is in same app
Can you create an app with UI same like Run the script(deprecated) by Splunk in such a way that we dont get warning and select the filename of the script we want as an alert action
No it is not working. And how my scheduled search knows this script test.sh has to be trieggered. That is where I stuck as well. My savedsearches.conf. Can you coordinate both and write the two conf files. Thanks.
[Test] alert.suppress = 1 alert.suppress.period = 100s alert.track = 1 counttype = number of events cron_schedule = */5 * * * * disabled = 0 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.visualizations.custom.treemap_app.treemap.showLabels = 1 display.visualizations.custom.treemap_app.treemap.showLegend = 1 display.visualizations.custom.treemap_app.treemap.showTooltip = 1 display.visualizations.custom.treemap_app.treemap.useColors = 1 display.visualizations.custom.treemap_app.treemap.useZoom = 1 enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = search request.ui_dispatch_view = search search = index=_internal " error " debug source=*splunkd.log* #action.test_scrip.param.search_query = index=_internal " error " debug source=*splunkd.log*
When you create schedule search, you need to select your alert action under
Trigger Actions -> Add Actions. Can you please provide your app directory and file structure for your alert actions ?
It looks like you created report, you need to create alert under Settings -> Searches, report and alerts -> New Alert. In which you'll able to find this.
Also I am not sure whether you created Custom Alert Action properly or not so I'll suggest you to go through docs https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro
Hi, I created a mod input example but I could not make it work. Could you please create an app(mod input) and write the alert_actions.conf and savedsearches.conf. Your help is much ap[[reciated.