Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Why is the Script in custom alert action app is not working properly?

sudhir7
Explorer
โ€Ž08-28-2018 11:02 PM

I have created a custom alert action app to restart Splunk.
Here is restart_splunk.bat file, which I used in custom alert action app.

:start

cd "C:\Program Files\Splunk\bin\"

break>"C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"

splunk search "| rest /services/search/jobs | search dispatchState=Running OR dispatchState=Finalizing OR dispatchState=Backgrounded | table author" -auth admin:changeme >> "C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"

for /f %%i in ('find /v /c "" ^<"C:\Program Files\Splunk\etc\apps\restart_splunk\bin\data.dat"') do set myint=%%i

IF %myint%==3 (
    cd "C:\Program Files\Splunk\bin\"
    splunk restart
    )

IF NOT %myint%==3 (    
    timeout 60
    goto start
    )

When I run this script manually, it works fine.
But when I schedule a custom alert, it just stops Splunk instead of restarting.
I tried this using "splunk stop" and "splunk start" instead of "splunk restart", but the result is same.

Has anyone else faced a similar situation ?

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
โ€Ž08-30-2018 12:16 AM

@sudhir7 ,The user who is running the scheduled script has same permission as you run manually? Also check ownership of splunk files

0 Karma
Reply

sudhir7
Explorer
โ€Ž08-30-2018 01:23 AM

Hi @renjith.nair , Thanks for your reply.
For testing purpose, I have created an ec2 instance, which has only one user i.e. Administrator.

0 Karma
Reply