Hello,
I'm new at this triggering of alert scripts and have hit my first obstacle.
When this search is manually fired in the Splunk GUI:
index=* sourcetype=df | multikv | eval perc_used=trim(UsePct, "%") | search perc_used >= 80 | runshellscript snow_alert.sh
Gives the following error message:
External search command 'runshellscript' returned error code 1. Script output = "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, got 2." "
The script looks like this:
#! /bin/sh
#
# ARGUMENTS
# $0 Script name
# $1 Number of events returned
# $2 Search terms
# $3 Fully qualified query string
# $4 Name of saved search
# $5 Trigger reason (for example, "The number of events was greater than 1")
# $6 Browser URL to view the saved search
# $8 File in which the results for this search are stored (contains raw results)
/opt/splunk/bin/splunk search "|snow instance=dev action=insert request=incident short_description=\"Alert filed by Splunk.\" work_notes=\"R
esults URL = $6\""
That script is in the correct location on the filesystem and I am able to run it at the CLI.
Example from the CLI:
opt/splunk/bin/splunk search "|snow instance=dev action=insert request=incident short_description=\"Alert filed by Splunk.\" work_notes=\"Results URL = $6\"" >> splunk-testing.log 2>&1
The following error is logged:
"External search command 'runshellscript' returned error code 1. Script output = "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, got 2.""
It is mentioned here:
http://wiki.splunk.com/Community:TroubleshootingAlertScripts
When I execute:
echo " date ARG0='$0' ARG1='$1' ARG2='$2' ARG3='$3' ARG4='$4' ARG5='$5' ARG6='$6' ARG7='$7' ARG8='$8'"
I get:
Tue Jan 22 12:43:32 PST 2013 ARG0='-bash' ARG1='' ARG2='' ARG3='' ARG4='' ARG5='' ARG6='' ARG7='' ARG8=''
What am I doing wrong?
... View more