I'm new at this triggering of alert scripts and have hit my first obstacle.
When this search is manually fired in the Splunk GUI: index=* sourcetype=df | multikv | eval perc_used=trim(UsePct, "%") | search perc_used >= 80 | runshellscript snow_alert.sh Gives the following error message: External search command 'runshellscript' returned error code 1. Script output = "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, got 2." " The script looks like this: #! /bin/sh # # ARGUMENTS # $0 Script name # $1 Number of events returned # $2 Search terms # $3 Fully qualified query string # $4 Name of saved search # $5 Trigger reason (for example, "The number of events was greater than 1") # $6 Browser URL to view the saved search # $8 File in which the results for this search are stored (contains raw results) /opt/splunk/bin/splunk search "|snow instance=dev action=insert request=incident short_description=\"Alert filed by Splunk.\" work_notes=\"R esults URL = $6\"" That script is in the correct location on the filesystem and I am able to run it at the CLI. Example from the CLI: opt/splunk/bin/splunk search "|snow instance=dev action=insert request=incident short_description=\"Alert filed by Splunk.\" work_notes=\"Results URL = $6\"" >> splunk-testing.log 2>&1 The following error is logged: "External search command 'runshellscript' returned error code 1. Script output = "ERROR "Missing arguments to operator 'runshellscript', expected at least 10, got 2."" It is mentioned here: http://wiki.splunk.com/Community:TroubleshootingAlertScripts
When I execute:
date ARG0='$0' ARG1='$1' ARG2='$2' ARG3='$3' ARG4='$4' ARG5='$5' ARG6='$6' ARG7='$7' ARG8='$8'"
Tue Jan 22 12:43:32 PST 2013 ARG0='-bash' ARG1='' ARG2='' ARG3='' ARG4='' ARG5='' ARG6='' ARG7='' ARG8=''
What am I doing wrong?
That command is whats used when an alert script fires.
When an alert fires and there's a script to run those variables are passed to the script, along with a session key which is read from STDIN.
For instance $4 is the saved search name - this can't be set because this isn't a saved search.
If you save your search, and create an alert trigger to call your script - it will work.
Or ... create the variables yourself.
Here the 1st argument is the number of results
* | head 1 | runshellscript echo.sh * | head 1 | runshellscript echo.sh [ search * | stats count | return count ] 2 3 4 5 6 7
and it puts this in bin/scripts/echo_output.txt :
'/opt/splunk/bin/scripts/echo.sh' 'count=64972' '2' '3' '4' '5' '6' '7' '/opt/splunk/var/run/splunk/dispatch/8/results.csv.gz' 'sessionKey=cedffc9ebc8cf266eb59a95156922ecd'
Worth noting ..
The script doesn't run against each row.
This is actually very, very cool
providing you're careful with your search you can pass search results directly into the script.
* | stats values(sourcetype) as types | eval stuff=mvjoin(types,",") | map search="| runshellscript echo.sh \"$stuff$\" 2 3 4 5 6 7 8"
Now echo.sh gets a comma delimited list of sourcetypes as the 1st argument.
does runscript command only works in alerts? so I should create a search query, which has runscript command, in http://splunk.xyz/en-US/app/search/search and then save it as alert?.
I have directly tried this command in search GUI to saved the result but it does not return the results.csv.gz.