Alerting

alert scripts: where do stdout and stderr go

Contributor

I'm working on some alert scripts, and trying to get debugging information out of them.

I can't figure out where stderr and stdout are going: I write to them, but nothing shows up in the _internal logs.

Tags (2)
0 Karma

Explorer

The logs are ingested and can be seen via SPL:

index=_internal sourcetype=splunkd component=sendmodalert action="{action}"

See http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModAlertsLog#Accessalertactionscriptlogs

0 Karma

Builder
0 Karma

Path Finder

doesn't seem to really answer the question. I'm debugging someone's custom alert, and I don't want to change his code yet. So where are stderr stored, maybe it IS lost?

0 Karma

Builder

you can do the logging they mention in an alert script. Is your script in $SplunkHome$/bin/scripts ?

0 Karma

Explorer

Appears Splunk will find a triggered alert script in $SPLUNKHOME/bin/scripts.
But if the script contains >> directs to a file (like for debugging), that file is written to $SPLUNK
HOME/etc/apps/search/bin (assuming the alert was written in search app).
Does that sound right, or expected?

0 Karma

Contributor

thank you. is there a posting that covers the case of alert scruipts? not seeing that mentioned in this posting (or am I missing something)?

0 Karma