Hello Ninjas!
I need help with setting an alert which triggers a php script with results. This script should pass the results to 3rd party system.
For example: script.php "date | field1 | field 2 | _raw "
Step 1. Place script my_script.php in $SPLUNK_HOME/etc/apps/[app]/bin/.
Step 2: Create php.path file in $SPLUNK_HOME/etc/apps/[app]/bin/ or in $SPLUNK_HOME/bin/ with below content (path to binary) and make it executable.
/usr/bin/php
Step 3. Create app.conf and alert_actions.conf in $SPLUNK_HOME$/etc/apps/[app]/default/ with below configurations. Note that name of the script should be the same as in its alert_actions.conf stanza.
app.conf:
[ui]
is_visible = 0
label = My Alert Action
[launcher]
description = My Alert Action
version = 1.0.0
[install]
state = enabled
is_configured = 1
alert_actions.conf
[my_script]
is_custom = 1
label = My Alert Action
disabled = 0
alert.execute.cmd = php.path
alert.execute.cmd.arg.0 = $SPLUNK_HOME/etc/apps/[app]/bin/my_script.php
alert.execute.cmd.arg.1 = $trigger_date$
alert.execute.cmd.arg.2 = $result.field1$
alert.execute.cmd.arg.3 = $result.field2$
alert.execute.cmd.arg.4 = $result._raw$
Note that $result.field1$, $result.field2$ and $result._raw$ are the field values from the first row of the search results.
Step 4. Configure alert with this alert action:
savedsearches.conf
[alert_name]
action.my_script = 1
Script will be executed like this:
/usr/bin/php $SPLUNK_HOME/etc/apps/[app]/bin/my_script.php $trigger_date$ $result.field1$ $result.field2$ $result._raw$
Step 1. Place script my_script.php in $SPLUNK_HOME/etc/apps/[app]/bin/.
Step 2: Create php.path file in $SPLUNK_HOME/etc/apps/[app]/bin/ or in $SPLUNK_HOME/bin/ with below content (path to binary) and make it executable.
/usr/bin/php
Step 3. Create app.conf and alert_actions.conf in $SPLUNK_HOME$/etc/apps/[app]/default/ with below configurations. Note that name of the script should be the same as in its alert_actions.conf stanza.
app.conf:
[ui]
is_visible = 0
label = My Alert Action
[launcher]
description = My Alert Action
version = 1.0.0
[install]
state = enabled
is_configured = 1
alert_actions.conf
[my_script]
is_custom = 1
label = My Alert Action
disabled = 0
alert.execute.cmd = php.path
alert.execute.cmd.arg.0 = $SPLUNK_HOME/etc/apps/[app]/bin/my_script.php
alert.execute.cmd.arg.1 = $trigger_date$
alert.execute.cmd.arg.2 = $result.field1$
alert.execute.cmd.arg.3 = $result.field2$
alert.execute.cmd.arg.4 = $result._raw$
Note that $result.field1$, $result.field2$ and $result._raw$ are the field values from the first row of the search results.
Step 4. Configure alert with this alert action:
savedsearches.conf
[alert_name]
action.my_script = 1
Script will be executed like this:
/usr/bin/php $SPLUNK_HOME/etc/apps/[app]/bin/my_script.php $trigger_date$ $result.field1$ $result.field2$ $result._raw$
Did everything step by step as in your instruction, people on the other side (3rd party app), who are waiting for script results, said it didn't trigger.
For clarification: script is not mine, but I have to run it with arguments. It works when I run it from Command line like this: php my_script.php "test1 | test2 | test3 | test4"
Check splunkd logs:
index=_internal earliest=-24h action=my_script
Here is the result. Same error every alert
02-20-2020 16:38:04.787 +0600 ERROR sendmodalert - action=Splunk_integration - Failed to find alert.execute.cmd "/path/to/php".
You need to provide path to /path/to/php for alert.execute.cmd.
Set alert.execute.cmd = php
Tried with adding full path to alert.execute.cmd = /opt/splunk/etc/apps/myapp/bin/script.php
And just adding as you said alert.execute.cmd = php
No use, same Errors
pls check the pic
is script path is /opt/splunk/etc/apps/myapp/bin/script.php OR /opt/splunk/etc/apps/alert_action/bin/my_script.php?
Make sure this script is executable.
chmod +x /opt/splunk/etc/apps/alert_action/bin/my_script.php
And also add file default.metadata in /metadata/ with below content.
[]
access = read : [ * ], write : [ admin ]
export = system
/opt/splunk/etc/apps/alert_action/bin/my_script.php - my script path looks like this.
Script is executable. I've added to metadata. Still the same Error.
Wait absolute paths are not supported for alert.execute.cmd.
Step 1. Create php.path in /opt/splunk/etc/apps/alert_action/bin/ with below content:
/usr/bin/php
Step 2. Make .path file executable:
chmod +x /opt/splunk/etc/apps/alert_action/bin/php.path
Step 3. Set alert.execute.cmd = php.path in alert_actions.conf.
Cool, I've got events which show success results. Now I'm waiting for a response from Devs.
One more thing, the script will be executed in like this with four separate parameters.
/usr/bin/php /opt/splunk/etc/apps/alert_action/bin/my_script.php date field1 field 2 _raw
If the parameter is this: "test1 | test2 | test3 | test4", then make below changes in alert_actions.conf:
[my_script]
is_custom = 1
label = My Alert Action
disabled = 0
alert.execute.cmd = php.path
alert.execute.cmd.arg.0 = /opt/splunk/etc/apps/alert_action/bin/my_script.php
alert.execute.cmd.arg.1 = $trigger_date$ | $result.field1$ | $result.field2$ | $result._raw$
Thanks, script is working, but data being send is incorrect. Instead of sending Token values it sends Token text string.
3rd party is receiving it as text: $trigger_date$ $result.field1$ $result.field2$ $result._raw$.
Please see pic below and don't get your attention on 2 trigger.dates, it's my mistake 🙂
My apologies, alert.execute.cmd.arg only supports text.
Custom alert action works best with python script. Let's try this with that. Create a python script /opt/splunk/etc/apps/alert_action/bin/my_script.py as a wrapper to my_script.php with below content and update alert_actions.conf.
#!/usr/bin/python
import sys
import subprocess
import json
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
sys.exit(1)
settings = json.loads(sys.stdin.read())
config = settings['configuration']
inputs = "%s | %s | %s | %s" % (config.get('trigger_date'), config.get('status'), config.get('uri_path'), config.get('raw'))
command = "%s %s %s" % ("/usr/bin/php", "/opt/splunk/etc/apps/alert_action/bin/my_script.php", inputs)
try:
p = subprocess.Popen(command, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
out, error = p.communicate()
if error:
print(error)
if out:
print(out)
except Exception, e:
print >> sys.stderr, "ERROR Unexpected error: %s" % e
sys.exit(1)
Update alert_actions.conf with below content. You don't need to provide script name as stanza name matches with script name: my_script.py in app /opt/splunk/etc/apps/alert_action/bin/.
[my_script]
is_custom = 1
label = My Alert Action
payload_format = json
param.trigger_date = $trigger_date$
param.status = $result.status$
param.uri_path = $result.uri_path$
param.raw = $result._raw$
I tested this on my dev stack.
Hello manjunathmeti! I've created a python script with your code. Updated alert_actions.conf as you said but now I'm getting this Warn below. I guess it can't find a script to execute. May be I forgot to add a line in alert_action.conf?
02-24-2020 10:37:06.409 +0600 WARN sendmodalert - action=Splunk_integration - Unable to find alert action script for action="Splunk_integration" in app="alert_action_php"
Below is my_script.py and alert_action.conf
hi @damiko
In alert_actions.conf stanza name must be "my_script". Change stanza name Splunk_integration to my_script.
And also remove 1 space from beginning of each line (starting from line 2) in the python script. This is to avoid python indentation errors.
Not working they say, well I get the message in the search
02-24-2020 12:11:10.666 +0600 INFO sendmodalert - Invoking modular alert action=Splunk_integration for search="Damir_php_test" sid="scheduler_admin_YWxlcnRfYWN0aW9uX3BocA_RMD5f6cda7d30fd7e0b1_at_1582524660_62268" in app="alert_action_php" owner="admin" type="saved"
Which means that alert executed correctly, right?
What might be the issue then?
You should see one more log like below:
INFO sendmodalert - action= Splunk_integration - Alert action script completed in duration=XXX ms with exit code=0
Also make sure your search Damir_php_test contains the fileds: status, uri_path and _raw
Ok, they gave me an access to their portal.
It's receiving data!, but only trigger_date.
Does search Damir_php_test contains these fields: status, uri_path and _raw?
If yes then append | table status, uri_path, _raw to the search query and check.
Yes it does. My search initially had this query with | table status, uri_path, _raw
Please check below
P.S.
Still getting only trigger_date