Hi As run a script invoked from alert action is deprecated I tried to custom alert action to a script bit it is not working. Below os the conf. test is the stanza name and test.sh is the script name which I kept in bin folder. Please help on this.
alert_action.conf [test] is_custom = 1 label = Custom Alert Action description = Triggers a custom alert action icon_path = appIcon.png alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh disabled=0
alert.execute.cmd = /Data/splunk/etc/apps/0_script_test/bin/test.sh and try to run schedule search because your stanza name and execution script has same name & here I am assuming alertactions.conf and test.sh is in same app `0script_test`
No it is not working. And how my scheduled search knows this script test.sh has to be trieggered. That is where I stuck as well. My savedsearches.conf. Can you coordinate both and write the two conf files. Thanks.
[Test] alert.suppress = 1 alert.suppress.period = 100s alert.track = 1 counttype = number of events cron_schedule = */5 * * * * disabled = 0 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.visualizations.custom.treemap_app.treemap.showLabels = 1 display.visualizations.custom.treemap_app.treemap.showLegend = 1 display.visualizations.custom.treemap_app.treemap.showTooltip = 1 display.visualizations.custom.treemap_app.treemap.useColors = 1 display.visualizations.custom.treemap_app.treemap.useZoom = 1 enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = search request.ui_dispatch_view = search search = index=_internal " error " debug source=*splunkd.log* #action.test_scrip.param.search_query = index=_internal " error " debug source=*splunkd.log*
My requirement is whenever above saved search is trigerring alert test.sh should be invoked but not in the method of >Run the script(deprecated method)
When you create schedule search, you need to select your alert action under
Trigger Actions -> Add Actions. Can you please provide your app directory and file structure for your alert actions ?
It looks like you created report, you need to create alert under Settings -> Searches, report and alerts -> New Alert. In which you'll able to find this.
Also I am not sure whether you created Custom Alert Action properly or not so I'll suggest you to go through docs https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro
Hi, I created a mod input example but I could not make it work. Could you please create an app(mod input) and write the alert_actions.conf and savedsearches.conf. Your help is much ap[[reciated.