Hi @Salvador_Dalí To create a simple custom alert action that runs a batch file (script.bat) or PowerShell script (script.ps1) on Windows in Splunk Enterprise 9.x, you'll need to build a basic Splu...
See more...
Hi @Salvador_Dalí To create a simple custom alert action that runs a batch file (script.bat) or PowerShell script (script.ps1) on Windows in Splunk Enterprise 9.x, you'll need to build a basic Splunk app with a custom modular alert. This replaces the deprecated "run a script" action. Create a new app directory on your Splunk server, navigate to $SPLUNK_HOME/etc/apps/ and create a new folder, e.g., myorg_custom_action. Create default/alert_actions.conf with: [my_script_action]
is_custom = 1
label = Run My Script
description = Runs a batch or PowerShell script
payload_format = json Create default/app.conf with basic app metadata: [ui]
is_visible = 0 # Hide from app list because this isnt a UI based app...
#... etc. Create bin/my_script_action.py (the Python script that executes your batch/PS script). Use this template to get you started: python
import sys
import json
import subprocess
# Read payload from stdin
payload = json.loads(sys.stdin.read())
# Define your script path (absolute path on the Splunk server)
script_path = "C:\\path\\to\\your\\script.bat" # Or .ps1 for PowerShell
# Run the script (use powershell.exe for .ps1)
if script_path.endswith('.ps1'):
subprocess.call(['powershell.exe', '-File', script_path])
else:
subprocess.call([script_path])
sys.exit(0) If you want to pass alert data to the script, modify the Python to write payload to a file or pass as args, then adjust your batch/PS script accordingly. Restart Splunk ($SPLUNK_HOME/bin/splunk restart). The action "Run My Script" will appear in alert configuration under "Add Actions". Test: Create a test alert, add your custom action, and trigger it to verify the script runs. This is a minimal setup, I would recommend extending it for error handling or parameters as required. Custom alert actions are modular apps that allow flexible scripting. The Python handler example reads the alert payload and executes your external script using subprocess. This works on Windows but ensure the Splunk service account has permissions to run the scripts. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing