Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing --execute Argument in Custom Alert App

secphilomath1
Explorer
‎03-16-2023 01:37 PM

I am working on a custom alert app to replace our old custom alert script action.  It was working fine but all of sudden I am no longer getting the --execute argument being passed and my script doesn't work any more.

 

Here is the code:

 

if __name__ == "__main__":

    #clear logs
    now = datetime.now()
    dt_string = now.strftime("%d/%m/%Y %H:%M:%S")

    log(dt_string + ":  Start Version 1.2","w")


    log("Checking to see if we have any arguments...")

    log("Number of arguments: " + str(len(sys.argv)))
    
    if len(sys.argv) > 1 and sys.argv[1] == "--execute":
        log("We have arguments.")

        try:
            payload = json.loads(sys.stdin.read())

            result_file = payload['results_file']

            #Pass the payload to main for processing....
            main(payload)

            #End
            now = datetime.now()
            dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
            log(dt_string + ": Processing complete.")


        except:
            log("We have an error on settings, exiting")
            sys.exit()

    else:
        log("There were no arguments.  Exiting.")

    sys.exit()

 

Here is the output of my logging:

 

16/03/2023 10:55:16:  Start Version 1.2

Checking to see if we have any arguments...

Number of arguments: 1

There were no arguments.  Exiting.

 

 

I have no idea what the --execute argument is and how it is passed, or what it actually means and can't find anything much about it  Hoping to shed some light here

 

thanks!

 

Labels (2)
Labels
0 Karma
Reply

secphilomath1
Explorer
‎03-16-2023 04:57 PM

Cool thanks for the reference info, but mine all of a sudden isn't passing the --execute and then is failing.  Can you think of a reason why it wouldn't pass that, the script is being called by the custom alert app.

0 Karma
Reply

yeahnah
Motivator
‎03-16-2023 05:41 PM

That sounds weird alright.

I guess you've tried a Splunk restart?

What do the internal logs show (Settings > Alert actions > View log events).  Any errors showing up?

Also, the new Slunk Dev Portal docs are pretty poor.  The old docs were better.  I found an archived copy here, if that helps. 

http://web.archive.org/web/20220519181621/http://docs.splunk.com:80/Documentation/Splunk/latest/Adva...

0 Karma
Reply

yeahnah
Motivator
‎03-16-2023 04:53 PM

Hi @secphilomath1 

After you configure a test alert and define your custom alert action as a triggered action, when Splunk calls the alert action script it passes the --execute as the first command line parameter.

https://dev.splunk.com/enterprise/docs/devtools/customalertactions/writescriptcaa

yeahnah_0-1679010305411.png

Basically, something like this...

 

 

 python _myalertscript.py_ --execute < _myalert_result_payload.json_

 

 

How are you testing you alerting script?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top