Why is the Script in custom alert action app is no...

sudhir7 · ‎08-28-2018

I have created a custom alert action app to restart Splunk.
Here is restart_splunk.bat file, which I used in custom alert action app.

:start

cd "C:\Program Files\Splunk\bin\"

break>"C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"

splunk search "| rest /services/search/jobs | search dispatchState=Running OR dispatchState=Finalizing OR dispatchState=Backgrounded | table author" -auth admin:changeme >> "C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"

for /f %%i in ('find /v /c "" ^<"C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"') do set myint=%%i

IF %myint%==3 (
    cd "C:\Program Files\Splunk\bin\"
    splunk restart
    )

IF NOT %myint%==3 (    
    timeout 60
    goto start
    )

When I run this script manually, it works fine.
But when I schedule a custom alert, it just stops Splunk instead of restarting.
I tried this using "splunk stop" and "splunk start" instead of "splunk restart", but the result is same.

Has anyone else faced a similar situation ?

renjith_nair · ‎08-30-2018

@sudhir7 ,The user who is running the scheduled script has same permission as you run manually? Also check ownership of splunk files

---
What goes around comes around. If it helps, hit it with Karma 🙂

sudhir7 · ‎08-30-2018

Hi @renjith.nair , Thanks for your reply.
For testing purpose, I have created an ec2 instance, which has only one user i.e. Administrator.

Why is the Script in custom alert action app is not working properly?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!