Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the Script in custom alert action app is not working properly?

sudhir7
Explorer
‎08-28-2018 11:02 PM

I have created a custom alert action app to restart Splunk.
Here is restart_splunk.bat file, which I used in custom alert action app.

:start

cd "C:\Program Files\Splunk\bin\"

break>"C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"

splunk search "| rest /services/search/jobs | search dispatchState=Running OR dispatchState=Finalizing OR dispatchState=Backgrounded | table author" -auth admin:changeme >> "C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"

for /f %%i in ('find /v /c "" ^<"C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"') do set myint=%%i

IF %myint%==3 (
    cd "C:\Program Files\Splunk\bin\"
    splunk restart
    )

IF NOT %myint%==3 (    
    timeout 60
    goto start
    )

When I run this script manually, it works fine.
But when I schedule a custom alert, it just stops Splunk instead of restarting.
I tried this using "splunk stop" and "splunk start" instead of "splunk restart", but the result is same.

Has anyone else faced a similar situation ?

0 Karma
Reply

renjith_nair
Legend
‎08-30-2018 12:16 AM

@sudhir7 ,The user who is running the scheduled script has same permission as you run manually? Also check ownership of splunk files

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

sudhir7
Explorer
‎08-30-2018 01:23 AM

Hi @renjith.nair , Thanks for your reply.
For testing purpose, I have created an ec2 instance, which has only one user i.e. Administrator.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...