Alerting

Running php script in alert with adding results as arguments

damiko
Communicator

Hello Ninjas!
I need help with setting an alert which triggers a php script with results. This script should pass the results to 3rd party system.
For example: script.php "date | field1 | field 2 | _raw "

0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Step 1. Place script my_script.php in $SPLUNK_HOME/etc/apps/[app]/bin/.

Step 2: Create php.path file in $SPLUNK_HOME/etc/apps/[app]/bin/ or in $SPLUNK_HOME/bin/ with below content (path to binary) and make it executable.

/usr/bin/php

Step 3. Create app.conf and alert_actions.conf in $SPLUNK_HOME$/etc/apps/[app]/default/ with below configurations. Note that name of the script should be the same as in its alert_actions.conf stanza.

app.conf:

[ui]
is_visible = 0
label = My Alert Action

[launcher]
description = My Alert Action
version = 1.0.0

[install]
state = enabled
is_configured = 1

alert_actions.conf

[my_script]
is_custom = 1
label = My Alert Action
disabled = 0
alert.execute.cmd = php.path
alert.execute.cmd.arg.0 =  $SPLUNK_HOME/etc/apps/[app]/bin/my_script.php
alert.execute.cmd.arg.1 = $trigger_date$
alert.execute.cmd.arg.2 = $result.field1$
alert.execute.cmd.arg.3 = $result.field2$
alert.execute.cmd.arg.4 = $result._raw$

Note that $result.field1$, $result.field2$ and $result._raw$ are the field values from the first row of the search results.

Step 4. Configure alert with this alert action:
savedsearches.conf

[alert_name]
action.my_script = 1

Script will be executed like this:
/usr/bin/php $SPLUNK_HOME/etc/apps/[app]/bin/my_script.php $trigger_date$ $result.field1$ $result.field2$ $result._raw$

View solution in original post

manjunathmeti
SplunkTrust
SplunkTrust

Step 1. Place script my_script.php in $SPLUNK_HOME/etc/apps/[app]/bin/.

Step 2: Create php.path file in $SPLUNK_HOME/etc/apps/[app]/bin/ or in $SPLUNK_HOME/bin/ with below content (path to binary) and make it executable.

/usr/bin/php

Step 3. Create app.conf and alert_actions.conf in $SPLUNK_HOME$/etc/apps/[app]/default/ with below configurations. Note that name of the script should be the same as in its alert_actions.conf stanza.

app.conf:

[ui]
is_visible = 0
label = My Alert Action

[launcher]
description = My Alert Action
version = 1.0.0

[install]
state = enabled
is_configured = 1

alert_actions.conf

[my_script]
is_custom = 1
label = My Alert Action
disabled = 0
alert.execute.cmd = php.path
alert.execute.cmd.arg.0 =  $SPLUNK_HOME/etc/apps/[app]/bin/my_script.php
alert.execute.cmd.arg.1 = $trigger_date$
alert.execute.cmd.arg.2 = $result.field1$
alert.execute.cmd.arg.3 = $result.field2$
alert.execute.cmd.arg.4 = $result._raw$

Note that $result.field1$, $result.field2$ and $result._raw$ are the field values from the first row of the search results.

Step 4. Configure alert with this alert action:
savedsearches.conf

[alert_name]
action.my_script = 1

Script will be executed like this:
/usr/bin/php $SPLUNK_HOME/etc/apps/[app]/bin/my_script.php $trigger_date$ $result.field1$ $result.field2$ $result._raw$

damiko
Communicator

Did everything step by step as in your instruction, people on the other side (3rd party app), who are waiting for script results, said it didn't trigger.
For clarification: script is not mine, but I have to run it with arguments. It works when I run it from Command line like this: php my_script.php "test1 | test2 | test3 | test4"

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Check splunkd logs:

index=_internal earliest=-24h action=my_script

damiko
Communicator

alt text

Here is the result. Same error every alert
02-20-2020 16:38:04.787 +0600 ERROR sendmodalert - action=Splunk_integration - Failed to find alert.execute.cmd "/path/to/php".

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You need to provide path to /path/to/php for alert.execute.cmd.

Set alert.execute.cmd = php

damiko
Communicator

Tried with adding full path to alert.execute.cmd = /opt/splunk/etc/apps/myapp/bin/script.php
And just adding as you said alert.execute.cmd = php

No use, same Errors
pls check the pic alt text

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

is script path is /opt/splunk/etc/apps/myapp/bin/script.php OR /opt/splunk/etc/apps/alert_action/bin/my_script.php?

Make sure this script is executable.
chmod +x /opt/splunk/etc/apps/alert_action/bin/my_script.php

And also add file default.metadata in /metadata/ with below content.

[]
access = read : [ * ], write : [ admin ]
export = system

damiko
Communicator

/opt/splunk/etc/apps/alert_action/bin/my_script.php - my script path looks like this.
Script is executable. I've added to metadata. Still the same Error.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Wait absolute paths are not supported for alert.execute.cmd.
Step 1. Create php.path in /opt/splunk/etc/apps/alert_action/bin/ with below content:

/usr/bin/php

Step 2. Make .path file executable:
chmod +x /opt/splunk/etc/apps/alert_action/bin/php.path

Step 3. Set alert.execute.cmd = php.path in alert_actions.conf.

damiko
Communicator

Cool, I've got events which show success results. Now I'm waiting for a response from Devs.
alt text

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

One more thing, the script will be executed in like this with four separate parameters.

/usr/bin/php /opt/splunk/etc/apps/alert_action/bin/my_script.php date field1 field 2 _raw

If the parameter is this: "test1 | test2 | test3 | test4", then make below changes in alert_actions.conf:

[my_script]
 is_custom = 1
 label = My Alert Action
 disabled = 0
 alert.execute.cmd = php.path
 alert.execute.cmd.arg.0 =  /opt/splunk/etc/apps/alert_action/bin/my_script.php
 alert.execute.cmd.arg.1 = $trigger_date$ | $result.field1$ | $result.field2$ | $result._raw$

damiko
Communicator

Thanks, script is working, but data being send is incorrect. Instead of sending Token values it sends Token text string.
3rd party is receiving it as text: $trigger_date$ $result.field1$ $result.field2$ $result._raw$.
Please see pic below and don't get your attention on 2 trigger.dates, it's my mistake 🙂

alt text

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

My apologies, alert.execute.cmd.arg only supports text.

Custom alert action works best with python script. Let's try this with that. Create a python script /opt/splunk/etc/apps/alert_action/bin/my_script.py as a wrapper to my_script.php with below content and update alert_actions.conf.

#!/usr/bin/python
import sys
import subprocess
import json
if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
        sys.exit(1)
    settings = json.loads(sys.stdin.read())
    config = settings['configuration']
    inputs = "%s | %s | %s | %s" % (config.get('trigger_date'), config.get('status'), config.get('uri_path'), config.get('raw'))
    command = "%s %s %s" % ("/usr/bin/php", "/opt/splunk/etc/apps/alert_action/bin/my_script.php", inputs)
    try:
        p = subprocess.Popen(command, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
        out, error = p.communicate()
        if error:
            print(error)
        if out:
            print(out)
    except Exception, e:
        print >> sys.stderr, "ERROR Unexpected error: %s" % e
        sys.exit(1)

Update alert_actions.conf with below content. You don't need to provide script name as stanza name matches with script name: my_script.py in app /opt/splunk/etc/apps/alert_action/bin/.

[my_script]
is_custom = 1
label = My Alert Action
payload_format = json
param.trigger_date = $trigger_date$
param.status = $result.status$
param.uri_path = $result.uri_path$
param.raw = $result._raw$

I tested this on my dev stack.

damiko
Communicator

Hello manjunathmeti! I've created a python script with your code. Updated alert_actions.conf as you said but now I'm getting this Warn below. I guess it can't find a script to execute. May be I forgot to add a line in alert_action.conf?

02-24-2020 10:37:06.409 +0600 WARN sendmodalert - action=Splunk_integration - Unable to find alert action script for action="Splunk_integration" in app="alert_action_php"

Below is my_script.py and alert_action.conf

alt text

alt text

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

hi @damiko

In alert_actions.conf stanza name must be "my_script". Change stanza name Splunk_integration to my_script.

And also remove 1 space from beginning of each line (starting from line 2) in the python script. This is to avoid python indentation errors.

damiko
Communicator

Not working they say, well I get the message in the search

02-24-2020 12:11:10.666 +0600 INFO sendmodalert - Invoking modular alert action=Splunk_integration for search="Damir_php_test" sid="scheduler_admin_YWxlcnRfYWN0aW9uX3BocA_RMD5f6cda7d30fd7e0b1_at_1582524660_62268" in app="alert_action_php" owner="admin" type="saved"

Which means that alert executed correctly, right?
What might be the issue then?

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You should see one more log like below:

INFO sendmodalert - action= Splunk_integration - Alert action script completed in duration=XXX ms with exit code=0

Also make sure your search Damir_php_test contains the fileds: status, uri_path and _raw

damiko
Communicator

Ok, they gave me an access to their portal.
It's receiving data!, but only trigger_date.
alt text

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Does search Damir_php_test contains these fields: status, uri_path and _raw?

If yes then append | table status, uri_path, _raw to the search query and check.

damiko
Communicator

Yes it does. My search initially had this query with | table status, uri_path, _raw

Please check below alt text

P.S.
Still getting only trigger_date
alt text

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...