We face a challenge
We have created one alert in which we are monitoring one of the windows service (cloud gate way service)
So basically if this service is not running or stopped splunk will trigger an alert for that.
Wanted to check if any possibility is there that if Splunk trigger such type of alert then to resolve the same Splunk will go to that server , login the server and will restart the service
We have identified one solution for this
By excute the alert action using the script
MAY I know where we can set the script (host=CSG196) can we deploy the script in host
Can anyone suggest to resolve this issue
you should create the script on the Splunk server and execute it as action for triggered alert.
The script must be runned on Splunk server and it remotely access the server and makes its activity.
For my knowledge it isn't possible to directly activate remote scripts.
You could create a porkaround running a script on Splunk Server that enables the activation of the local script.
Splunk Cloud is somewhat limited in terms of flexibility and some low-level functionalities avaliable for customers compared to on-premise installation.
With on-premise install you could indeed create a script for a custom alert action which would do what you need (I would however strongly advise agains direct manipulation of external hosts this way).
In Cloud you can't do that.
You could however, if you're not using any full-blown SOAR solution create an external script which would periodically query Splunk Cloud via REST API, check if there are any results to your search and act accordingly.
I mean a script, to execute on the Splunk server when an alert triggers, that enable executing of a local script.
It isn't e best practice solution, for this reason I called it "porkaround".
The easiest solution (but not automatic) could be that maybe you could associate to the alert on Splunk Cloud an email to an administrator and manually execute the script.