Alerting

How to - Custom alert action (passing arguments to custom scripts)

mbagali_splunk
Splunk Employee
Splunk Employee

How to use a custom script in alert actions and pass arguments to it when the alert is triggered

Tags (1)
0 Karma
1 Solution

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash
echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI
label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution
alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

View solution in original post

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash
echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI
label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution
alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

rvany
Communicator

If you just name your script custom_script.sh - using exactly the phrase from the corresponding alerts_action.conf stanza, the bash.path file and the alert.execute.* entries in alert_actions.conf are not necessary.

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash

echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI

label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution

alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...