Deployment Architecture

Where can we set the script (host=CSG196) so can we deploy the script in host?

jackin
Path Finder

Hi 

We face a challenge

We have created one alert in which we are monitoring one of the windows service (cloud gate way service)

So basically if this service is not running or stopped splunk will trigger an alert for that.

 

Wanted to check if any possibility is there that if Splunk trigger such type of alert then to resolve the same Splunk will go to that server , login the server and will restart the service

 

We have identified one solution for this 

By excute the alert action using the script 

MAY I know where we can set the script (host=CSG196) can we deploy the script in host

Can anyone suggest to resolve this issue

Labels (1)
0 Karma

gcusello
Legend

Hi @jackin,

you should create the script on the Splunk server and execute it as action for triggered alert.

The script must be runned on Splunk server and it remotely access the server and makes its activity.

For my knowledge it isn't possible to directly activate remote scripts.

You could create a porkaround running a script on Splunk Server that enables the activation of the local script.

Ciao.

Giuseppe

0 Karma

jackin
Path Finder

Hi,

Actually we using Splunk cloud to create the alerts . Can anyone confirm where we can deploy the script ???

Regards,

Jack 

 

0 Karma

PickleRick
Ultra Champion

Splunk Cloud is somewhat limited in terms of flexibility and some low-level functionalities avaliable for customers compared to on-premise installation.

With on-premise install you could indeed create a script for a custom alert action which would do what you need (I would however strongly advise agains direct manipulation of external hosts this way).

In Cloud you can't do that.

You could however, if you're not using any full-blown SOAR solution create an external script which would periodically query Splunk Cloud via REST API, check if there are any results to your search and act accordingly.

0 Karma

gcusello
Legend

Hi, @jackin,

no on Splunk Cloud it isn't possible.

As I said it's a porkaround to create on youw own server.

Ciao.

Giuseppe

0 Karma

jackin
Path Finder

Hi 

What is mean by porkaround. 

Is there any doc related to this or can you give me the steps to resolve this 

0 Karma

gcusello
Legend

Hi @jackin,

I mean a script, to execute on the Splunk server when an alert triggers, that enable executing of a local script.

It isn't e best practice solution, for this reason I called it "porkaround".

The easiest solution (but not automatic) could be that maybe you could associate to the alert on Splunk Cloud an email to an administrator and manually execute the script.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Probably you could do it with splunk SOAR?

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...