- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Problem with scripted alert
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello plp,
I am making an alert, that export a csv , the problem here is when this .csv is exported, only have rw permissions and i want to have rw-r. I make a script that convert this file with the permissions i want, but is dont working. I have read all the doc of configurating scripted alerts, but i cant resolve this problem.
Can anyone helpme?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scripted alert action is officially deprecated. Use custom alert action. Check this page to convert scripted action to custom alert action.
https://docs.splunk.com/Documentation/Splunk/8.0.2/AdvancedDev/CustomAlertConvertScripted
Simple steps to create an app for custom alert action:
Step 1: Create new app script_custom_alert_action and create app.conf and alert_actions.conf like below. Copy configuration files to script_custom_alert_action/default.
app.conf
[ui]
is_visible = 0
label = Scripted Custom Alert Action
[launcher]
description = Scripted Custom Alert Action
[install]
state = enabled
is_configured = 1
alert_actions.conf
[scriptcustomalert]
is_custom = 1
label = Scripted Custom Alert Action
Step 2: Rename your script. Script name must be same as stanza name in alert_actions.conf. Example scriptcustomalert.py or scriptcustomalert.sh. Put it in script_custom_alert_action/bin.
Step 3: Create default.meta and copy it in script_custom_alert_action/metadata. This enables all users to configure custom alert action for their alerts in any app.
[]
access = read : [ * ], write : [ admin ]
export = system
Step 4: Deploy app and restart splunk. New action "Scripted Custom Alert Action" will appear in alert action list on UI in alert configurations and you can select it and verify.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks , i have read this a lot of times, but i cant resolve the problem.
can you help me with this configuration?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scripted alert action is officially deprecated. Use custom alert action. Check this page to convert scripted action to custom alert action.
https://docs.splunk.com/Documentation/Splunk/8.0.2/AdvancedDev/CustomAlertConvertScripted
Simple steps to create an app for custom alert action:
Step 1: Create new app script_custom_alert_action and create app.conf and alert_actions.conf like below. Copy configuration files to script_custom_alert_action/default.
app.conf
[ui]
is_visible = 0
label = Scripted Custom Alert Action
[launcher]
description = Scripted Custom Alert Action
[install]
state = enabled
is_configured = 1
alert_actions.conf
[scriptcustomalert]
is_custom = 1
label = Scripted Custom Alert Action
Step 2: Rename your script. Script name must be same as stanza name in alert_actions.conf. Example scriptcustomalert.py or scriptcustomalert.sh. Put it in script_custom_alert_action/bin.
Step 3: Create default.meta and copy it in script_custom_alert_action/metadata. This enables all users to configure custom alert action for their alerts in any app.
[]
access = read : [ * ], write : [ admin ]
export = system
Step 4: Deploy app and restart splunk. New action "Scripted Custom Alert Action" will appear in alert action list on UI in alert configurations and you can select it and verify.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i can created but my script doesnt change the permissions of the csv 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested with below python script and it's working. Check with this script.
Search query I used:
index=_internal earliest=-5m | stats count by sourcetype | outputcsv test.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Bro, it works!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks , i have read this a lot of times, but i cant resolve the problem.
can you help me with this configuration?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated my answer.
Preparing your Splunk Environment for OpenSSL3
Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
