Alerting

Change scripted alert script location?

Jason
Motivator

In trying to package up our app into its own app folder, we ran into an issue where it seems Splunk won't accept .. / \ in the script path, and will only look in $SPLUNK_HOME/bin/scripts. This seems oddly contrary to everything else in Splunk, which can be neatly packaged in an app.

Is there a way to allow alert scripts to reside in $SPLUNK_HOME/etc/ourapp/bin and still be run?

Tags (2)
1 Solution

ziegfried
Influencer

I've tried it once and wasn't able to get it working outside of bin/scripts. There's probably no way to this this right now. I've filed an ER back then. You should do this too if you want this to be available sometime in Splunk.

View solution in original post

agent613
Explorer

This DOES work, but the documentation is wrong.

Contrary to what is stated here: http://wiki.splunk.com/Community:TroubleshootingAlertScripts and in the README file for each app, you need to put it in etc/apps//bin/scripts.

Then, in your alert, don't specify any path, just the name of the script.

ruman
Splunk Employee
Splunk Employee

hmm. this doesn't work for me in splunk 6.0. even with a default.meta that exports everything.

according to http://wiki.splunk.com/Community:TroubleshootingAlertScripts, the script in the app will only be accessible by saved searches in the app's context.

i wonder if this used to work but was broken in 6.0? December 16 2011 would have been splunk 4.2 IIRC...maybe i'll downgrade and see if it works there...

huister
New Member

Thanks agent613 this worked!
I'm trying to upvote you but I don't have enough points so I'll repeat what you said and add a bit.

The script must be in the /bin/scripts folder of the app.

So for alerts in the search app I put the script I want to run(DoSomethingOnAlert.sh) in

/opt/splunk/etc/apps/search/bin/scripts/

Under a saved search in the alert actions section under
"File name of shell script to run"
you can only put the filename WITHOUT path
(Otherwise you will get the "script location cannot contain" error message in /opt/splunk/var/log/splunk/splunkd.log)
so in here i have only the script name:

DoSomethingOnAlert.sh

0 Karma

ziegfried
Influencer

I've tried it once and wasn't able to get it working outside of bin/scripts. There's probably no way to this this right now. I've filed an ER back then. You should do this too if you want this to be available sometime in Splunk.

gkanapathy
Splunk Employee
Splunk Employee

I believe you can place them in $SPLUNK_HOME/etc/ourapp/bin/scripts

0 Karma

Jason
Motivator

Doesn't work. Splunk complained if I tried to put a full path in (ERROR script - Script location cannot contain "..", "/", or "\"), or just place the script in /etc/ourapp/bin/ or etc/ourapp/bin/scripts (ERROR script - Cannot find script at /opt/splunk/bin/scripts/script.sh) - other ideas?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...