Splunk Enterprise Security

How to troubleshoot the Adaptive Response script not running?


Hello everyone,

I have set an Adaptive Response Action (custom bash script) along with a Notable event on a simple correlation search. The Notable triggers but the script not.

The script is used to initiate a tcpdump capture on an indexer. The script is placed under:

- /opt/splunk/etc/apps/SplunkEnterpriseSecurity/bin/tcpdump.sh

- /opt/splunk/bin/scripts/tcpdump.sh

Owner: splunk  Permissions: 755



#Initiate tcpdump (3 dumps for 5mins each)
tcpdump -i ens33 -G 300 -W 3 -w /mnt/nfs/pcaps/pcap-%Y-%m-%d_%H.%M.%S


I tried to create an app with an Adaptive Response Action with Addon-Builder but my coding skills are not good.

How can I troubleshoot why the script is not running at all?



Labels (1)
0 Karma


Hi @b_chris21 

try to add the full path and give it a try 






this works when manually triggering the script as splunk user (on the indexer directly). I know try to get the adaptive response action work.

Question: the script should reside on Splunk ES or on remote indexer? Or normally it should replicated via the replication bundle?


0 Karma


I managed to have the script run after the Notable was triggered, but the script actually run on the machine where ES is installed.

How can I get it run on the Indexer?


0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...