Alerting

Invoke a script from alert action

rajagurup
New Member

Hi As run a script invoked from alert action is deprecated I tried to custom alert action to a script bit it is not working. Below os the conf. test is the stanza name and test.sh is the script name which I kept in bin folder. Please help on this.

alert_action.conf
[test]
is_custom = 1
label = Custom Alert Action
description = Triggers a custom alert action
icon_path = appIcon.png
alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh
disabled=0
Tags (1)
0 Karma

manjunathmeti
Champion

Hi @rajaguru27902,

Check my answer https://answers.splunk.com/answers/810829/problem-with-scripted-alert.html#answer-810832 for steps to create an app for custom alert action.

0 Karma

rajaguru27902
New Member

Pls help on this with the configuration

0 Karma

harsmarvania57
Ultra Champion

Hi,

Remove alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh and try to run schedule search because your stanza name and execution script has same name & here I am assuming alert_actions.conf and test.sh is in same app 0_script_test

0 Karma

rajagurup
New Member

Hi ,

Can you create an app with UI same like Run the script(deprecated) by Splunk in such a way that we dont get warning and select the filename of the script we want as an alert action

0 Karma

rajaguru27902
New Member

No it is not working. And how my scheduled search knows this script test.sh has to be trieggered. That is where I stuck as well. My savedsearches.conf. Can you coordinate both and write the two conf files. Thanks.

[Test]
alert.suppress = 1
alert.suppress.period = 100s
alert.track = 1
counttype = number of events
cron_schedule = */5 * * * *
disabled = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.visualizations.custom.treemap_app.treemap.showLabels = 1
display.visualizations.custom.treemap_app.treemap.showLegend = 1
display.visualizations.custom.treemap_app.treemap.showTooltip = 1
display.visualizations.custom.treemap_app.treemap.useColors = 1
display.visualizations.custom.treemap_app.treemap.useZoom = 1
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=_internal " error "  debug source=*splunkd.log*
#action.test_scrip.param.search_query = index=_internal " error "  debug source=*splunkd.log*
0 Karma

rajaguru27902
New Member

My requirement is whenever above saved search is trigerring alert test.sh should be invoked but not in the method of >Run the script(deprecated method)

0 Karma

harsmarvania57
Ultra Champion

When you create schedule search, you need to select your alert action under Trigger Actions -> Add Actions. Can you please provide your app directory and file structure for your alert actions ?

0 Karma

rajaguru27902
New Member

How to do that. I could not find that option. Could you please help me?

0 Karma

harsmarvania57
Ultra Champion

It looks like you created report, you need to create alert under Settings -> Searches, report and alerts -> New Alert. In which you'll able to find this.

Also I am not sure whether you created Custom Alert Action properly or not so I'll suggest you to go through docs https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro

0 Karma

rajaguru27902
New Member

Hi, I created a mod input example but I could not make it work. Could you please create an app(mod input) and write the alert_actions.conf and savedsearches.conf. Your help is much ap[[reciated.

0 Karma

rajaguru27902
New Member

It worked. Thank you so much.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...