Alerting
Highlighted

Invoke a script from alert action

New Member

Hi As run a script invoked from alert action is deprecated I tried to custom alert action to a script bit it is not working. Below os the conf. test is the stanza name and test.sh is the script name which I kept in bin folder. Please help on this.

alert_action.conf
[test]
is_custom = 1
label = Custom Alert Action
description = Triggers a custom alert action
icon_path = appIcon.png
alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh
disabled=0
Tags (1)
0 Karma
Highlighted

Re: Invoke a script from alert action

New Member

Pls help on this with the configuration

0 Karma
Highlighted

Re: Invoke a script from alert action

SplunkTrust
SplunkTrust

Hi,

Remove alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh and try to run schedule search because your stanza name and execution script has same name & here I am assuming alertactions.conf and test.sh is in same app `0script_test`

0 Karma
Highlighted

Re: Invoke a script from alert action

New Member

No it is not working. And how my scheduled search knows this script test.sh has to be trieggered. That is where I stuck as well. My savedsearches.conf. Can you coordinate both and write the two conf files. Thanks.

[Test]
alert.suppress = 1
alert.suppress.period = 100s
alert.track = 1
counttype = number of events
cron_schedule = */5 * * * *
disabled = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.visualizations.custom.treemap_app.treemap.showLabels = 1
display.visualizations.custom.treemap_app.treemap.showLegend = 1
display.visualizations.custom.treemap_app.treemap.showTooltip = 1
display.visualizations.custom.treemap_app.treemap.useColors = 1
display.visualizations.custom.treemap_app.treemap.useZoom = 1
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=_internal " error "  debug source=*splunkd.log*
#action.test_scrip.param.search_query = index=_internal " error "  debug source=*splunkd.log*
0 Karma
Highlighted

Re: Invoke a script from alert action

New Member

My requirement is whenever above saved search is trigerring alert test.sh should be invoked but not in the method of >Run the script(deprecated method)

0 Karma
Highlighted

Re: Invoke a script from alert action

SplunkTrust
SplunkTrust

When you create schedule search, you need to select your alert action under Trigger Actions -> Add Actions. Can you please provide your app directory and file structure for your alert actions ?

0 Karma
Highlighted

Re: Invoke a script from alert action

New Member

How to do that. I could not find that option. Could you please help me?

0 Karma
Highlighted

Re: Invoke a script from alert action

SplunkTrust
SplunkTrust

It looks like you created report, you need to create alert under Settings -> Searches, report and alerts -> New Alert. In which you'll able to find this.

Also I am not sure whether you created Custom Alert Action properly or not so I'll suggest you to go through docs https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro

0 Karma
Highlighted

Re: Invoke a script from alert action

New Member

Hi, I created a mod input example but I could not make it work. Could you please create an app(mod input) and write the alert_actions.conf and savedsearches.conf. Your help is much ap[[reciated.

0 Karma
Highlighted

Re: Invoke a script from alert action

New Member

It worked. Thank you so much.

0 Karma