Alerting

How to pull the host name from an alert to add to a script for an iisreset?

bobmccoy
Explorer

I have an alert set for high CPU using this search:

sourcetype="perfmon:Windows__Processor" counter="% Processor Time" earliest=-13m latest=-1m
 | stats avg(Value)  as AvgProcessorTime by host
 | where AvgProcessorTime > 85

The email alert gives this host AvgProcessorTime
(Hostname) 98.897829

How can I get the host name from the alert and add that to a script to iisreset that host?

shreyasathavale
Communicator

,I am also looking for something like this? Did you get it working?

0 Karma

bobmccoy
Explorer

So I updated my search to include an output

 sourcetype="perfmon:Windows__Processor" counter="% Processor Time" earliest=-13m latest=-1m
  | stats avg(Value)  as AvgProcessorTime by host
  | where AvgProcessorTime > 85 | outputcsv HighCpu.csv

this puts a csv file here:
S:\Program Files\Splunk\var\run\splunk\csv\HighCpu.csv

Now I have script that takes the host name from the csv

uses credentials and iisreset the host
and edits a text file with host that was reset and date and time

$servers = Import-Csv 'S:\Program Files\Splunk\var\run\splunk\csv\HighCpu.csv' | Select-Object -ExpandProperty "Host"

forEach ($servers in $servers)
{

$User = "*domain\username*" 
#$session = New-PSSession -ComputerName $servers -credential $mycreds 
$Scriptblock = {IISRESET /RESTART}
$secpasswd = ConvertTo-SecureString “*userpassword*” -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential  (“$User”, $secpasswd)

 "$servers initiated IISreset at $(Get-Date)" | Add-Content -Path 'S:\Temp\IISResetLogs.txt' 

Invoke-Command  $servers –Credential $mycreds  –ScriptBlock {iisreset /RESTART}
}

I put this script here:
S:\Program Files\Splunk\bin\scripts

My only issue is that the trigger is not starting the script
I tested manually and know the script takes the csv get host name iisreset the host and edits the log file

0 Karma

vasanthmss
Motivator

Hi Bobmccoy,

Write an custom script that can run the rest / curl / splunk search from the backend and get the results and play with it.

cheers!

V
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...