Splunk Dev

Custom Alert reaction with Python

flk2309
New Member

Hello,

I want to trigger a a Python script as reaction to an alert. I have added the stanza to alert_actions.conf and restarted Splunk:

[myscript]
is_custom = 1
disabled = 0
label = myscript
description = myscript
track_alert = 1
ttl = 600
maxtime = 5m
icon_path = alert_manager_icon.png
payload_format = xml
filename = myscript.py
alert.execute.cmd = /opt/splunk/etc/apps/bla/bin/myscript.py

In the spunkd log I find the following entry:

02-19-2020 13:25:39.278 +0100 ERROR ModularUtility - Specified filename "..." not found in search path.
...

But the script is definitely there. Kindly help me to find out what I´m missing.

Best Regards Falko

Labels (1)
0 Karma
1 Solution

manjunathmeti
Champion

Just try with below configurations in alert_actions.conf.

[myscript]
is_custom = 1
disabled = 0
label = myscript
description = myscript
track_alert = 1
ttl = 600
maxtime = 5m
icon_path = alert_manager_icon.png
payload_format = xml

View solution in original post

0 Karma

manjunathmeti
Champion

Just try with below configurations in alert_actions.conf.

[myscript]
is_custom = 1
disabled = 0
label = myscript
description = myscript
track_alert = 1
ttl = 600
maxtime = 5m
icon_path = alert_manager_icon.png
payload_format = xml
0 Karma

flk2309
New Member

Hello,

thank you. This works fine.

Another question I have now is, how can I trigger this alert manually to develop the script? When I run it in the search, the script is not triggered. Is there any way?

Thanks and best regards

Falko

0 Karma

manjunathmeti
Champion

Is you script reading any inputs?

If not you can use sendalert command to trigger this alert action.

 <your_search> | sendalert myscript
0 Karma

flk2309
New Member

Works fine. Thank you!

0 Karma

manjunathmeti
Champion

You are welcome. Please accept the answer.

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...