alert scripts: where do stdout and stderr go

wegscd · ‎09-11-2014

I'm working on some alert scripts, and trying to get debugging information out of them.

I can't figure out where stderr and stdout are going: I write to them, but nothing shows up in the _internal logs.

tcgerhard · ‎01-09-2017

The logs are ingested and can be seen via SPL:

index=_internal sourcetype=splunkd component=sendmodalert action="{action}"

See http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModAlertsLog#Access_alert_action_scrip...

hortonew · ‎09-11-2014

This answer may help you:

http://answers.splunk.com/answers/31262/sysstderr-not-logging-to-splunkd

kundeng · ‎05-25-2016

doesn't seem to really answer the question. I'm debugging someone's custom alert, and I don't want to change his code yet. So where are stderr stored, maybe it IS lost?

hortonew · ‎09-11-2014

you can do the logging they mention in an alert script. Is your script in $SplunkHome$/bin/scripts ?

droth333 · ‎02-19-2015

Appears Splunk will find a triggered alert script in $SPLUNK_HOME/bin/scripts.
But if the script contains >> directs to a file (like for debugging), that file is written to $SPLUNK_HOME/etc/apps/search/bin (assuming the alert was written in search app).
Does that sound right, or expected?

wegscd · ‎09-11-2014

thank you. is there a posting that covers the case of alert scruipts? not seeing that mentioned in this posting (or am I missing something)?

alert scripts: where do stdout and stderr go

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!