Solved: Splunk Alert-Trigger in Windows - doesn't work wel...

sbeamro · ‎01-04-2015

Hi,
I have an .exe client that I can use in order to send SMS with my SMS server.
I've made a simple batch file - test.bat
on the batch file I've wrote 2 lines -

snsClient.exe -zSMSSERVER:1234
-rPHONENUMBER -sALERT -iSYSLOG -sTest Test msg.exe Administrator Hi1

when I run the batch file - it works , I'm seeing a message on the screen and I'm getting an SMS.

I've got the file under C:\Program Files\Splunk\bin\scripts\
I've also go the snsclient.exe & DLLs to the same folder.
I've ran the batch file - and it works.

Over Splunk - under the "run script" I wrote - test.bat

when the alert is triggering I'm getting an email & I'm getting the message on the screen - which means the msg.exe is working - which means that it does run the .bat file !

yet - the bat file for some reason doesn't run the .exe file when the splunk is running the .bat file.
when I'm running the bat file - it does work.

please help !

P.S.
there is only 1 user over the Windows 2008 R2 Server which is Administrator , the splunk service is running under this service.

linu1988 · ‎01-04-2015

Use error logging in the bat file or put the bat file in someother location and try to trigger with absolute path.

View solution in original post

linu1988 · ‎01-04-2015

Use error logging in the bat file or put the bat file in someother location and try to trigger with absolute path.

sbeamro · ‎01-05-2015

Hi linu,
thanks for your help !
I have modified to have the full location and changed to it be c:\
and it works !
thanks a lot for your help !

I do have another question -
in order to send the SMS I need to use the following context -
C:\snsClient.exe -z:1234 -r -sALERT -iSYSLOG -s*'**'*

I've tried to write on the bat file the follows -
C:\snsClient.exe -z1.1.1.1:1234 -r055555555 -sALERT -iSYSLOG -s
and then I wrote on the the alert script over splunk the follows -
test.bat $alert
I've also tried test.bat SMS TEST

and it doesn't work.

any idea how can I use it to work ?
I would like have in between the ` ` the raw data.

linu1988 · ‎01-05-2015

Hi Sbeamro,
i am not able to get the complete details as the symbols got omitted in your comment. But what i can understand is you want to include the alert subject in your SMS !? You can take advantage of the parameters which will supply you the values directly. Don't mention the $alert variable while mentioning the script file in the alert set up page. Please see the below argument values.
`

Arg Environment Variable    Value
0   SPLUNK_ARG_0    Script name`

1   SPLUNK_ARG_1    Number of events returned

2   SPLUNK_ARG_2    Search terms

3   SPLUNK_ARG_3    Fully qualified query string

4   SPLUNK_ARG_4    Name of report

5   SPLUNK_ARG_5    Trigger reason.

For example, "The number of events was greater than 1."

6   SPLUNK_ARG_6    Browser URL to view the report.

7   SPLUNK_ARG_7    Not used for historical reasons.

8   SPLUNK_ARG_8    File in which the results for the search are stored.

Contains raw results.

`

sbeamro · ‎01-05-2015

YAY I got it to work !
I really apprecaite your help !

Splunk Alert-Trigger in Windows - doesn't work well

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?