Alerting

How to - Custom alert action (passing arguments to custom scripts)

mbagali_splunk
Splunk Employee
Splunk Employee

How to use a custom script in alert actions and pass arguments to it when the alert is triggered

Tags (1)
0 Karma
1 Solution

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash
echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI
label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution
alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

View solution in original post

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash
echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI
label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution
alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

View solution in original post

rvany
Communicator

If you just name your script custom_script.sh - using exactly the phrase from the corresponding alerts_action.conf stanza, the bash.path file and the alert.execute.* entries in alert_actions.conf are not necessary.

mbagali_splunk
Splunk Employee
Splunk Employee

If you want to use a custom script in alert actions and pass arguments to it when the alert is triggered

Let us assume a sample.sh script as below which will accept a name a argument and print to a sample.log file

!/bin/bash

echo "hello $1 @ date +%Y-%m-%d-%H:%M:%S" >> /path/sample.log
exit 0

We need to do the following to use this script in alert actions

Create an app "MyApp" with a "bin" directory and "default" directory

Place the sample.sh and another file .path file. The .path file should have the location of the executable.

In this example, we are creating a bash.path with "/bin/bash" as its contents.

In the default directory, create app.conf and alert_actions.conf.

app.conf

[launcher]
version = 1.0

[ui]
is_visible = false
label = Splunk Custom Alert Example

alert_actions.conf

[custom_script]

flag the action as custom alert action

is_custom = 1

configure appearance in the UI

label = Custom Script Alert Action
description = Triggers a custom alert action
icon_path = custom_alert.png

override default script execution

alert.execute.cmd = bash.path
alert.execute.cmd.arg.1 = /opt/splunk/etc/apps/myapp/bin/sample.sh
alert.execute.cmd.arg.2 = Anyname

After splunk restart, a custom alert action will be created, which needs to be selected during the alert creation.

In the alert_actions.conf you can pass any number of arguments to your script.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!