- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Trouble about Custom alert actions script
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trouble about Custom alert actions script
Splunk version :7.3.3
We are testing the Custom alert action. We copied the files as alert_test from etc/apps/alert_logevent.
Then we used the example from https://docs.splunk.com/Documentation/Splunk/7.3.3/AdvancedDev/ModAlertsBasicExample and configurated the alert_actions.conf and the logger.py .
We set an alert and add the custom alert to the alert .
And the alert runs every 2 minutes.
The logger example implements a custom alert action that does the following:
- Creates a path to a log file when the alert first fires.
- Writes log messages to the log file when the alert fires.
- Writes log information to an existing Splunk Enterprise log file
BUT when we cat the log ,we found that the message as below the :
2021-02-05T11:08:01.473866 got arguments ['/data/eccom_gao/splunk/etc/apps/alert_log_test/bin/logger.py', '--execute']
2021-02-05T11:08:01.474097 got payload: {"app":"search","owner":"admin","result_id":"0","results_file":"/data/eccom_gao/splunk/var/run/splunk/dispatch/scheduler__admin__search__RMD5e0e0606133e59cd5_at_1612494480_94/per_result_alert/tmp_0.csv.gz","results_link":"http://056-gj-test01:8000/app/search/search?q=%7Cloadjob%20scheduler__admin__search__RMD5e0e0606133e59cd5_at_1612494480_94%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now",.................................}
2021-02-05T11:08:01.615030 got arguments ['/data/eccom_gao/splunk/etc/apps/alert_log_test/bin/logger.py', '--execute']
2021-02-05T11:08:01.615210 got payload: {"app":"search","owner":"admin","result_id":"1","results_file":"/data/eccom_gao/splunk/var/run/splunk/dispatch/scheduler__admin__search__RMD5e0e0606133e59cd5_at_1612494480_94/per_result_alert/tmp_1.csv.gz","results_link":"http://056-gj-test01:8000/app/search/search?q=%7Cloadjob%20scheduler__admin__search__RMD5e0e0606133e59cd5_at_1612494480_94%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now",...........................................................}
2021-02-05T11:13:01.761179 got arguments ['/data/eccom_gao/splunk/etc/apps/alert_log_test/bin/logger.py', '--execute']
2021-02-05T11:13:01.761385 got payload: {"app":"search","owner":"admin","result_id":"0","results_file":"/data/eccom_gao/splunk/var/run/splunk/dispatch/scheduler__admin__search__RMD5e0e0606133e59cd5_at_1612494480_94/per_result_alert/tmp_2.csv.gz","results_link":"http://056-gj-test01:8000/app/search/search?q=%7Cloadjob%20scheduler__admin__search__RMD5e0e0606133e59cd5_at_1612494480_94%20%7C%20head%203%20%7C%20tail%201&earliest=0&latest=now",...............................................}
2021-02-05T11:13:01.761179 got arguments ['/data/eccom_gao/splunk/etc/apps/alert_log_test/bin/logger.py', '--execute']
2021-02-05T11:13:01.761385 got payload: {"app":"search","owner":"admin","result_id":"1","results_file":"/data/eccom_gao/splunk/var/run/splunk/dispatch/scheduler__admin__search__RMD5e0e0606133e59cd5_at_1612494480_94/per_result_alert/tmp_2.csv.gz","results_link":"http://056-gj-test01:8000/app/search/search?q=%7Cloadjob%20scheduler__admin__search__RMD5e0e0606133e59cd5_at_1612494480_94%20%7C%20head%203%20%7C%20tail%201&earliest=0&latest=now",...............................................}
It seems like :The time stamp in the log is not consistent with the time that the alert runs. The time in the log is not written every two minutes. Sometimes it may take five minutes to write in the log.
Can anyone help me, please?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
