Alerting

Saving alert triggerred scripts inside apps

Leo
Splunk Employee
Splunk Employee

I want to configure a saved search alert to trigger a script contained inside my app. The security measures only allow me to run the script from $SPLUNK_HOME/bin/scripts, making it difficult to ship it with the app.

Is there a workaround for this?

1 Solution

Leo
Splunk Employee
Splunk Employee

The solution would be to put the script inside /etc/apps/[appname]/bin and put the script name in savedsearches.conf:

action.script.filename = myscript.bat

View solution in original post

Ledion_Bitincka
Splunk Employee
Splunk Employee

the alert script should be placed in:

$SPLUNK_HOME/etc/apps/<app>/bin/scripts/

The error message you're seeing occurs because splunk first looks in the above app level directory and then falls back to the system level script location $SPLUNK_HOME/bin/scripts/ - if a script is not found at the system level a failure is reported and the system level dir is output.

the_wolverine
Champion

Leo, this doesn't appear to work, at least in version 4.1.2. When I create a script (verified executable) in $SPLUNK_HOME/etc/apps/myapp/bin/ and create a scheduled search (also running out of myapps/local/savedsearch.conf) that triggers the script, I still see that Splunk is looking in $SPLUNK_HOME/bin/scripts for the script:

ERROR script - Cannot find script at /home/support/splunk/bin/scripts/myscript.sh

What am I missing to get it to run from my app's bin directory?

0 Karma

Leo
Splunk Employee
Splunk Employee

The solution would be to put the script inside /etc/apps/[appname]/bin and put the script name in savedsearches.conf:

action.script.filename = myscript.bat

Leo
Splunk Employee
Splunk Employee

Actually I'm trying this now on 4.1.3 and it doesn't work when the script is placed in either script or bin directory.

0 Karma

ewoo
Splunk Employee
Splunk Employee

The script should actually be placed directly in /etc/apps/[appname]/bin. Files in a 'script' subdirectory of 'bin' are probably ignored.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...