Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

errors in custom alert action

damucka
Builder
‎02-19-2020 07:20 AM

Hello,

We created a custom alert action as per documentation and try to trigger it.
We get the following errors:

2/19/20
4:01:42.547 PM  
02-19-2020 16:01:42.547 +0100 ERROR SearchScheduler - Error in 'sendalert' command: Alert action script for action "splunk2alc" not found., search='sendalert splunk2alc results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__d038423__mlbso__RMD5782cf4a2b848fa26_at_1582124460_1760/results.csv.gz" results_link="https://splunk-ml.zone1.mo.sap.corp:443/app/mlbso/@go?sid=scheduler__d038423__mlbso__RMD5782cf4a2b848fa26_at_1582124460_1760"'
host = mo-7ee963859.zone1.mo.sap.corpsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd
2/19/20
4:01:42.546 PM  
02-19-2020 16:01:42.546 +0100 ERROR sendmodalert - Error in 'sendalert' command: Alert action script for action "splunk2alc" not found.
host = mo-7ee963859.zone1.mo.sap.corpsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd
2/19/20
4:01:42.546 PM  
02-19-2020 16:01:42.546 +0100 ERROR sendmodalert - action=splunk2alc - Failed to find alert.execute.cmd "python".
host = mo-7ee963859.zone1.mo.sap.corpsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd
2/19/20
4:01:42.544 PM  
02-19-2020 16:01:42.544 +0100 INFO  sendmodalert - Invoking modular alert action=splunk2alc for search="Crash Dump Alert ALC - AlertAction" sid="scheduler__d038423__mlbso__RMD5782cf4a2b848fa26_at_1582124460_1760" in app="mlbso" owner="d038423" type="saved"
host = mo-7ee963859.zone1.mo.sap.corpsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd
2/19/20
4:01:38.316 PM  
02-19-2020 16:01:38.316 +0100 DEBUG sendmodalert - action=alert_manager - Token value action.splunk2alc=1

Our alect_actions.conf looks as follows:

[splunk2alc]
is_custom = 1
disabled = 0
label = Splunk2ALC
description = Send Alert to Alc
track_alert = 1
ttl         = 600
maxtime     = 5m
icon_path = alert_manager_icon.png
payload_format = xml
alert.execute.cmd = python
alert.execute.cmd.arg.0 = /opt/splunk/etc/apps/mlbso/bin/splunk2alc.py

under the alert.execute.cmd we have tried already quite some combinations, like:

$SPLUNK_HOME$/bin/python
$SPLUNK_HOME/bin/python
/opt/splunk/bin/python

All throw same error.

Any ideas?

Kind Regards,
Kamil

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-19-2020 07:29 AM

Place python script splunk2alc.py in /opt/splunk/etc/apps/mlbso/bin/ and alert_actions.conf with below configurations in /opt/splunk/etc/apps/mlbso/default.

 [splunk2alc]
 is_custom = 1
 disabled = 0
 label = Splunk2ALC
 description = Send Alert to Alc
 track_alert = 1
 ttl         = 600
 maxtime     = 5m
 icon_path = alert_manager_icon.png
 payload_format = xml

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-19-2020 07:29 AM

Place python script splunk2alc.py in /opt/splunk/etc/apps/mlbso/bin/ and alert_actions.conf with below configurations in /opt/splunk/etc/apps/mlbso/default.

 [splunk2alc]
 is_custom = 1
 disabled = 0
 label = Splunk2ALC
 description = Send Alert to Alc
 track_alert = 1
 ttl         = 600
 maxtime     = 5m
 icon_path = alert_manager_icon.png
 payload_format = xml
0 Karma
Reply
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...