Splunk Dev

What is the easiest way to make alert (sound, python script, ...) in Splunk search?

erez10121012
Path Finder

hi,

want to make an alert in Splunk, for example:

if _raw>10

make alert.

what is the easiest way to make alert?

can I do it within the search comment?

play wav file?

play through the browser?

python script?

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

There is a script command https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Script

But it's also not as easy as just writing

| tstats count | ping

Running arbitrary commands from splunk search is not something that should be treated lightly.

View solution in original post

0 Karma

erez10121012
Path Finder

A bit difficult to execute, there is no simple way to execute any command through the search, maybe ping?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

There is a script command https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Script

But it's also not as easy as just writing

| tstats count | ping

Running arbitrary commands from splunk search is not something that should be treated lightly.

0 Karma

erez10121012
Path Finder

thanks for the detailed explanation.

"In your rack cabinet? Kinda pointless, isn't it?"

my "rack cabinet" is located close to my client computer, and the alert will reach to my client

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, in that case you might think of a custom alert action which will be performed on the search head (or all-in-one as I assume you have) but that's something you have to devise on your own because it's a very atypical case.

https://docs.splunk.com/Documentation/Splunk/8.2.5/AdvancedDev/ModAlertsIntro

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Wait a second.

You have to think how splunk works.

You can have an all-in-one installation on your desktop but in general, the splunk infrastructure is composed of several layers. There are indexers, there are search heads, and there is your browser which connects to a search head which typically is on a different host.

An alert in splunk sense is a search which triggers some action _on the search head_ if some conditions are fulfilled. So in general case - the alert action is performed on the search head which typically is in some server room, possibly on a virtual machine. Even if you created a custom "play wav file" script to handle such alert where would it play? In your rack cabinet? Kinda pointless, isn't it? 😉

You could try to add some client-side logic in a dashboard which would do something based on a value of specific form or something like that but that's purely client-side programming in JS and - frankly - it doesn't have much to do with Splunk itself, it's just inserting an external JS code into a Splunk dashboard. Probably can be done but I don't find the idea worth pursuing.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...