Why is the Script in custom alert action app is no...

sudhir7 · ‎08-28-2018

I have created a custom alert action app to restart Splunk.
Here is restart_splunk.bat file, which I used in custom alert action app.

:start

cd "C:\Program Files\Splunk\bin\"

break>"C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"

splunk search "| rest /services/search/jobs | search dispatchState=Running OR dispatchState=Finalizing OR dispatchState=Backgrounded | table author" -auth admin:changeme >> "C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"

for /f %%i in ('find /v /c "" ^<"C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"') do set myint=%%i

IF %myint%==3 (
    cd "C:\Program Files\Splunk\bin\"
    splunk restart
    )

IF NOT %myint%==3 (    
    timeout 60
    goto start
    )

When I run this script manually, it works fine.
But when I schedule a custom alert, it just stops Splunk instead of restarting.
I tried this using "splunk stop" and "splunk start" instead of "splunk restart", but the result is same.

Has anyone else faced a similar situation ?

renjith_nair · ‎08-30-2018

@sudhir7 ,The user who is running the scheduled script has same permission as you run manually? Also check ownership of splunk files

---
What goes around comes around. If it helps, hit it with Karma 🙂

sudhir7 · ‎08-30-2018

Hi @renjith.nair , Thanks for your reply.
For testing purpose, I have created an ec2 instance, which has only one user i.e. Administrator.

Why is the Script in custom alert action app is not working properly?

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring