Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where can we set the script (host=CSG196) so can we deploy the script in host?

jackin
Path Finder
‎06-23-2022 01:20 AM

Hi 

We face a challenge

We have created one alert in which we are monitoring one of the windows service (cloud gate way service)

So basically if this service is not running or stopped splunk will trigger an alert for that.

 

Wanted to check if any possibility is there that if Splunk trigger such type of alert then to resolve the same Splunk will go to that server , login the server and will restart the service

 

We have identified one solution for this 

By excute the alert action using the script 

MAY I know where we can set the script (host=CSG196) can we deploy the script in host

Can anyone suggest to resolve this issue

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-23-2022 01:29 AM

Hi @jackin,

you should create the script on the Splunk server and execute it as action for triggered alert.

The script must be runned on Splunk server and it remotely access the server and makes its activity.

For my knowledge it isn't possible to directly activate remote scripts.

You could create a porkaround running a script on Splunk Server that enables the activation of the local script.

Ciao.

Giuseppe

0 Karma
Reply

jackin
Path Finder
‎06-29-2022 04:20 AM

Hi,

Actually we using Splunk cloud to create the alerts . Can anyone confirm where we can deploy the script ???

Regards,

Jack 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2022 03:50 AM

Splunk Cloud is somewhat limited in terms of flexibility and some low-level functionalities avaliable for customers compared to on-premise installation.

With on-premise install you could indeed create a script for a custom alert action which would do what you need (I would however strongly advise agains direct manipulation of external hosts this way).

In Cloud you can't do that.

You could however, if you're not using any full-blown SOAR solution create an external script which would periodically query Splunk Cloud via REST API, check if there are any results to your search and act accordingly.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-29-2022 06:57 AM

Hi, @jackin,

no on Splunk Cloud it isn't possible.

As I said it's a porkaround to create on youw own server.

Ciao.

Giuseppe

0 Karma
Reply

jackin
Path Finder
‎06-30-2022 01:47 AM

Hi 

What is mean by porkaround. 

Is there any doc related to this or can you give me the steps to resolve this 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-30-2022 01:57 AM

Hi @jackin,

I mean a script, to execute on the Splunk server when an alert triggers, that enable executing of a local script.

It isn't e best practice solution, for this reason I called it "porkaround".

The easiest solution (but not automatic) could be that maybe you could associate to the alert on Splunk Cloud an email to an administrator and manually execute the script.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2022 09:34 AM

Probably you could do it with splunk SOAR?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...