Archive
Highlighted

Custom Alert action shell script

SplunkTrust
SplunkTrust

Hi,

Currently I am creating a Custom Alert action script as per documentation http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomAlertScript but I would like to create Shell script instead of Python script.

In shell script to fetch payload I am using read sessionKey in shell script, is this correct way ?? Or Do I need to use some other code to fetch payload value in shell script?

Thanks,
Harshil

0 Karma
Highlighted

Re: Custom Alert action shell script

SplunkTrust
SplunkTrust

You'll need to read in the arguments via stdin.

Please see this link for just about everything you need and let us know if you get stuck:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Configuringscriptedalerts

The downside to using a bash script as an alert action is that you only get those 7 arguments. To read the results you have to read & manipulate the data file who's path is provided by the 8th argument.

Cheers!

View solution in original post

0 Karma
Highlighted

Re: Custom Alert action shell script

SplunkTrust
SplunkTrust

Currently in script I am using SPLUNKARG1 ... 8 and that script I am using in "run a script alert action" & it is working fine but the feature is deprecated now.

So I have new script based on "Custom Alert Action" but I can use only read sessionKey as STDIN in Shell Script

I am getting Payload via this script

#!/bin/bash
if [[ "$1" == "--execute" ]]; then
    read sessionKey
    echo $sessionKey > /tmp/payload_output.txt
fi

But If I use other variables in script those are not working/no output.

#!/bin/bash
if [[ "$1" == "--execute" ]]; then
    read SPLUNK_ARG_0
    echo $SPLUNK_ARG_0 > /tmp/payload_output.txt
    echo $SPLUNK_ARG_1 >>  /tmp/payload_output.txt
fi

So my question is read sessionKey which I am using in first script and I am getting payload value, so is this correct method to fetch payload value in Custom Alert Action script ?

Thanks,
Harshil

0 Karma
Highlighted

Re: Custom Alert action shell script

SplunkTrust
SplunkTrust

Are you looking for the search results?

If so there will be a file on a path specified by argument 8. You must use your script to read this file and use it as the payload.

0 Karma
Highlighted

Re: Custom Alert action shell script

SplunkTrust
SplunkTrust

While using argument in script based on this http://docs.splunk.com/Documentation/Splunk/6.4.5/AdvancedDev/CustomAlertScript , those arguments (SPLUNKARG0 ... 😎 are not working.

0 Karma
Highlighted

Re: Custom Alert action shell script

SplunkTrust
SplunkTrust

Ok I understand your question now. Yes you are doing it correctly except I wouldn't call the payload sessionKey I would call it payload:

 read payload
0 Karma
Highlighted

Re: Custom Alert action shell script

SplunkTrust
SplunkTrust

Perfect. working fine, Thanks. I am not able to convert your last comment as Answer, so accepting first answer as Answer.

Thanks,
Harshil

0 Karma
Highlighted

Re: Custom Alert action shell script

SplunkTrust
SplunkTrust

Hey you did see in alert_actions.conf where you can change the payload format to xml or JSON I hope!

0 Karma
Highlighted

Re: Custom Alert action shell script

SplunkTrust
SplunkTrust

Yes, I already converted into JSON format in alert_actions.conf

0 Karma