Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Re: Passing search results to a python script in a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm trying to execute a script in a scheduled Alerts, when results of a search are greater than 0.
I've created my $SPLUNK_HOME/etc/apps/[myapp]/default/alert_actions.conf, following:
https://dev.splunk.com/enterprise/docs/devtools/customalertactions/configappcaa
and I've this:
[MyAction]
is_custom = 1
label = MyAction
description = open ticket
payload_format = json
python.version = python3
alert.execute.cmd = test.py
param.datemod =
param.devname =
param.toner =
I've put 3 params in the same file, and everything I write after = generates this error:
Invalid key in stanza [MyAction] in /splunk/sh/etc/apps/monitor/default/alert_actions.conf, line 9: param.datemod (value: ).
Invalid key in stanza [MyAction] in /splunk/sh/etc/apps/monitor/default/alert_actions.conf, line 10: param.devname (value: ).
Invalid key in stanza [MyAction] in /splunk/sh/etc/apps/monitor/default/alert_actions.conf, line 11: param.toner (value: ).
I understood that it's waiting for something after the =, I've tried ( datemod, devname, toner that are the output of the search ) but nothing.
I configured the web gui alert with MyAction as Trigger Action ( the action is now running every 2 minutes ).
The script is executed, because I write a static line into a file, and I see that the file is always update.
But how can I pass the search results to the script ?
Reading the guide it's no so clear for me.
Thanks in advance for any help!
Fabrizio
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank for your help!
I've found that I've to configure alert_actions.conf.spec file in README dir of my own application.
After some attempts all is wortking fine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont think those errors should cause it not to work, they are reporting as errors because there is no corresponding spec file update for your custom alert action. Have a look at https://github.com/splunk/itsi-deep-dive-email-alert/blob/master/README/alert_actions.conf.spec - basically you need to create a README/alert_actions.conf.spec in your app with something like this:
[MyAction]
param.datemod = <string>
param.devname = <string>
param.toner = <string>🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank for your help!
I've found that I've to configure alert_actions.conf.spec file in README dir of my own application.
After some attempts all is wortking fine
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
