Alerting

alert scripts: where do stdout and stderr go

wegscd
Contributor

I'm working on some alert scripts, and trying to get debugging information out of them.

I can't figure out where stderr and stdout are going: I write to them, but nothing shows up in the _internal logs.

Tags (2)
0 Karma

tcgerhard
Explorer

The logs are ingested and can be seen via SPL:

index=_internal sourcetype=splunkd component=sendmodalert action="{action}"

See http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModAlertsLog#Access_alert_action_scrip...

0 Karma

hortonew
Builder
0 Karma

kundeng
Path Finder

doesn't seem to really answer the question. I'm debugging someone's custom alert, and I don't want to change his code yet. So where are stderr stored, maybe it IS lost?

0 Karma

hortonew
Builder

you can do the logging they mention in an alert script. Is your script in $SplunkHome$/bin/scripts ?

0 Karma

droth333
Explorer

Appears Splunk will find a triggered alert script in $SPLUNK_HOME/bin/scripts.
But if the script contains >> directs to a file (like for debugging), that file is written to $SPLUNK_HOME/etc/apps/search/bin (assuming the alert was written in search app).
Does that sound right, or expected?

0 Karma

wegscd
Contributor

thank you. is there a posting that covers the case of alert scruipts? not seeing that mentioned in this posting (or am I missing something)?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...