Run a Linux shell script with Alert Action in the ...

konpa01 · ‎03-27-2020

I am running version 8.x. I want to add the capability to run a custom Linux bash script as Alert Action with the OOTB search app. I did the following:

1 - create a file called alert_actions.conf in the /opt/splunk/etc/apps/search/default directory and have the following content.
[sendsnmptrap]
is_custom = 1
label = Send SNMP Traps
description = Custom action to send search result as SNMP traps
ttl = 120
disabled = 0

----how can I call the script?

2 - I create the script in as /opt/splunk/etc/apps/search/bin/sendsnmptrap.sh with the very basic command & parameter

martin_mueller · ‎03-27-2020

First off, DO NOT edit in etc/apps/search/default, it will get overwritten on update of splunk, instead use local: https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Configurationfiledirectories#About_the_defa...

That being said, you can call scripts using the Run a script alert action: https://docs.splunk.com/Documentation/Splunk/8.0.2/Alert/Runscriptaction or by properly implementing a custom alert using the Modular Alert framework: https://docs.splunk.com/Documentation/Splunk/8.0.2/AdvancedDev/ModAlertsIntro

Run a Linux shell script with Alert Action in the standard Search app.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation