cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jrehl01
New Member
Member since: ‎08-29-2018
‎06-05-2020
Community Statistics
Posts 8
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-29-2018
Activity Feed
View All

Re: Why is the custom alert script failing with se...

by in Alerting
‎08-30-2018 07:53 AM
‎08-30-2018 07:53 AM
Here is the end result of the script that pretty much shows all the information you can grab about an alert and the corresponding events: import json, sys, csv, gzip if __name__ == "__main__": if len(sys.argv) > 1 and sys.argv[1] == "--execute": data = json.loads(sys.stdin.read()) f = open("/tmp/splunktest.txt", "w") f.write("Here's the info we get from splunk:\n") f.write(json.dumps((data), indent=4, sort_keys=False)) f.write("\n\nResults Data:\n") results_file = data["results_file"] fz = gzip.open(results_file) results_content = csv.DictReader(fz) for idx, row in enumerate(results_content): f.write("Information for result #" + str(idx) + "\n") for key, value in row.iteritems(): f.write("Key: " + str(key) + "\tValue: " + str(value) + "\n") f.write("\n") fz.close() f.close() ... View more

Re: Why is the custom alert script failing with se...

by in Alerting
‎08-30-2018 06:27 AM
‎08-30-2018 06:27 AM
It was more the metadata/default.meta file that was the issue, but I'll still accept you as providing the answer. Thanks again! ... View more

Re: Why is the custom alert script failing with se...

by in Alerting
‎08-30-2018 06:08 AM
‎08-30-2018 06:08 AM
That was it! I fixed some errors in the script and it successfully ran. You've been very helpful, thank you! ... View more

Re: Why is the custom alert script failing with se...

by in Alerting
‎08-30-2018 05:39 AM
‎08-30-2018 05:39 AM
I just restarted and same issue. However, I'm noticing this piece in the log: Unable to find alert action script for action="showconfiguration" in app="system" Why is it looking in the "System" app and not my own? Do I have do update anything in the /opt/splunk/etc/system directory? ... View more

Re: Why is the custom alert script failing with se...

by in Alerting
‎08-30-2018 05:06 AM
‎08-30-2018 05:06 AM
Unfortunately still didn't help. Here's the logs again: 08-30-2018 08:05:32.379 -0400 INFO sendmodalert - Invoking modular alert action=showconfiguration for search="Test" sid="rt_scheduler_adminsearch_RMD5742b25d78d6cf18c_at_1535567638_0.185" in app="search" owner="admin" type="saved" 08-30-2018 08:05:32.380 -0400 ERROR sendmodalert - Error in 'sendalert' command: Alert action "showconfiguration" not found. 08-30-2018 08:05:32.380 -0400 ERROR SearchScheduler - Error in 'sendalert' command: Alert action "showconfiguration" not found., search='sendalert showconfiguration results_file="/opt/splunk/var/run/splunk/dispatch/rt_scheduler_adminsearchRMD5742b25d78d6cf18c_at_1535567638_0.185/results.csv.gz" results_link="http://s01-splunk-d01.devmss.leidos.com:8000/app/search/@go?sid=rt_scheduleradminsearch_RMD5742b25d78d6cf18c_at_1535567638_0.185"' ... View more

Re: Why is the custom alert script failing with se...

by in Alerting
‎08-30-2018 04:48 AM
‎08-30-2018 04:48 AM
It is in that directory. For some reason the spacing that I put in the post isn't reflected when I submitted it. Here's the content of the script: #!/usr/bin/python import pprint, json, sys if name == "main": f.open("/tmp/splunktest.txt", "w") f.write("Here's the info we get from splunk:") f.write(pprint.pprint(json.loads(sys.stdin.read()))) f.close() ... View more

Re: Why is the custom alert script failing with se...

by in Alerting
‎08-30-2018 04:46 AM
‎08-30-2018 04:46 AM
Oh I didn't even notice the formatting was off on the tree. It is under that directory, the formatting of this post just doesn't reflect that. Not sure why I can't update the amount of spacing there. Here's the content of the script: !/usr/bin/python import pprint, json, sys if __name__ == "__main__": f.open("/tmp/splunktest.txt", "w") f.write("Here's the info we get from splunk:") f.write(pprint.pprint(json.loads(sys.stdin.read()))) f.close() ... View more

Why is the custom alert script failing with sendal...

by in Alerting
‎08-29-2018 12:25 PM
‎08-29-2018 12:25 PM
I'm trying to create a custom alert application. All I want to do right now is to see what kind of parameters I can pull and utilize. So I'm just doing a simple print into a file. I created an app called say, test. And the script is called showconfiguration. This is my first time making a custom app. Here's what the directory structure looks like under /opt/splunk/etc/apps/test: test/ ├── appserver │   └── static │   └── icon.png ├── bin │   └── showconfiguration.py ├── default │   ├── alert_actions.conf │   ├── app.conf │   └── data │   └── ui │   └── alerts │   └── showconfiguration.html ├── metadata │   ├── default.meta │   └── local.meta └── README └── alert_actions.conf.spec Here's alert_actions.conf contents: > [showconfiguration] >is_custom = 1 >label = Testing Splunk alerting capability >description = Testing >icon_path = icon.png >payload_format = json >param.trigger_reason = Saved Search [test] number of events ($job.resultCount$) >param.result_count = $job.resultCount$ >param.one = two Contents of app.conf: > [ui] >is_visible = 0 >label = Alert Tests > >[launcher] >author = Me >description = Testing splunk alert capability >version = 0.1 > >[install] >state = enabled >is_configured = 1 And everything is owned by splunk:splunk and I think has the correct permissions. So I create an alert and set it to run this custom alert. It never runs and I see this error in the splunkd.log: 08-29-2018 15:10:40.746 -0400 ERROR sendmodalert - Error in 'sendalert' command: Alert action "showconfiguration" not found. I don't know what I did wrong here. How do I get sendalert to recognize the showconfiguration script?? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM