I don't see my custom alert action's logs as the documentation suggests I should.
import sys
# splat
# Run with arbitrary input, e.g., index=_internal | head 1 | sendalert splat
if __name__ == '__main__':
print >>sys.stderr, "WARN splat look for me in the logs!"
sys.exit(2)
According to https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/ModAlertsLog :
Access alert action script logs
[....] Any information that your script prints to STDERR will be treated as a log message. Message
prefixes, such as DEBUG, INFO, WARN, or ERROR, are treated as the log level. To review logs for an alert
action, select Settings>Alert actions.
This takes you to the Alert Actions manager page. Select View log events for your alert action.
When I run the above custom alert, I see nothing in the internal index. I do see its logs in search.log if it exits non-zero, of course, but I'd like to be able to see them from the View log events link.
How can I see that WARN log line in View log events (viz., index=_internal sourcetype=splunkd component=sendmodalert action="splat" ) as the documentation suggests I ought to?
... View more