Splunk Dev

What is the easiest way to make alert (sound, python script, ...) in Splunk search?

erez10121012
Path Finder

hi,

want to make an alert in Splunk, for example:

if _raw>10

make alert.

what is the easiest way to make alert?

can I do it within the search comment?

play wav file?

play through the browser?

python script?

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

There is a script command https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Script

But it's also not as easy as just writing

| tstats count | ping

Running arbitrary commands from splunk search is not something that should be treated lightly.

View solution in original post

0 Karma

erez10121012
Path Finder

A bit difficult to execute, there is no simple way to execute any command through the search, maybe ping?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

There is a script command https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Script

But it's also not as easy as just writing

| tstats count | ping

Running arbitrary commands from splunk search is not something that should be treated lightly.

0 Karma

erez10121012
Path Finder

thanks for the detailed explanation.

"In your rack cabinet? Kinda pointless, isn't it?"

my "rack cabinet" is located close to my client computer, and the alert will reach to my client

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, in that case you might think of a custom alert action which will be performed on the search head (or all-in-one as I assume you have) but that's something you have to devise on your own because it's a very atypical case.

https://docs.splunk.com/Documentation/Splunk/8.2.5/AdvancedDev/ModAlertsIntro

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Wait a second.

You have to think how splunk works.

You can have an all-in-one installation on your desktop but in general, the splunk infrastructure is composed of several layers. There are indexers, there are search heads, and there is your browser which connects to a search head which typically is on a different host.

An alert in splunk sense is a search which triggers some action _on the search head_ if some conditions are fulfilled. So in general case - the alert action is performed on the search head which typically is in some server room, possibly on a virtual machine. Even if you created a custom "play wav file" script to handle such alert where would it play? In your rack cabinet? Kinda pointless, isn't it? 😉

You could try to add some client-side logic in a dashboard which would do something based on a value of specific form or something like that but that's purely client-side programming in JS and - frankly - it doesn't have much to do with Splunk itself, it's just inserting an external JS code into a Splunk dashboard. Probably can be done but I don't find the idea worth pursuing.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...