Alerting

alert scripts: where do stdout and stderr go

Contributor

I'm working on some alert scripts, and trying to get debugging information out of them.

I can't figure out where stderr and stdout are going: I write to them, but nothing shows up in the _internal logs.

Tags (2)
0 Karma

Explorer

The logs are ingested and can be seen via SPL:

index=_internal sourcetype=splunkd component=sendmodalert action="{action}"

See http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModAlertsLog#Access_alert_action_scrip...

0 Karma

Builder
0 Karma

Path Finder

doesn't seem to really answer the question. I'm debugging someone's custom alert, and I don't want to change his code yet. So where are stderr stored, maybe it IS lost?

0 Karma

Builder

you can do the logging they mention in an alert script. Is your script in $SplunkHome$/bin/scripts ?

0 Karma

Explorer

Appears Splunk will find a triggered alert script in $SPLUNK_HOME/bin/scripts.
But if the script contains >> directs to a file (like for debugging), that file is written to $SPLUNK_HOME/etc/apps/search/bin (assuming the alert was written in search app).
Does that sound right, or expected?

0 Karma

Contributor

thank you. is there a posting that covers the case of alert scruipts? not seeing that mentioned in this posting (or am I missing something)?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!