Alerting

How to pull the host name from an alert to add to a script for an iisreset?

bobmccoy
Explorer

I have an alert set for high CPU using this search:

sourcetype="perfmon:Windows__Processor" counter="% Processor Time" earliest=-13m latest=-1m
 | stats avg(Value)  as AvgProcessorTime by host
 | where AvgProcessorTime > 85

The email alert gives this host AvgProcessorTime
(Hostname) 98.897829

How can I get the host name from the alert and add that to a script to iisreset that host?

shreyasathavale
Communicator

,I am also looking for something like this? Did you get it working?

0 Karma

bobmccoy
Explorer

So I updated my search to include an output

 sourcetype="perfmon:Windows__Processor" counter="% Processor Time" earliest=-13m latest=-1m
  | stats avg(Value)  as AvgProcessorTime by host
  | where AvgProcessorTime > 85 | outputcsv HighCpu.csv

this puts a csv file here:
S:\Program Files\Splunk\var\run\splunk\csv\HighCpu.csv

Now I have script that takes the host name from the csv

uses credentials and iisreset the host
and edits a text file with host that was reset and date and time

$servers = Import-Csv 'S:\Program Files\Splunk\var\run\splunk\csv\HighCpu.csv' | Select-Object -ExpandProperty "Host"

forEach ($servers in $servers)
{

$User = "*domain\username*" 
#$session = New-PSSession -ComputerName $servers -credential $mycreds 
$Scriptblock = {IISRESET /RESTART}
$secpasswd = ConvertTo-SecureString “*userpassword*” -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential  (“$User”, $secpasswd)

 "$servers initiated IISreset at $(Get-Date)" | Add-Content -Path 'S:\Temp\IISResetLogs.txt' 

Invoke-Command  $servers –Credential $mycreds  –ScriptBlock {iisreset /RESTART}
}

I put this script here:
S:\Program Files\Splunk\bin\scripts

My only issue is that the trigger is not starting the script
I tested manually and know the script takes the csv get host name iisreset the host and edits the log file

0 Karma

vasanthmss
Motivator

Hi Bobmccoy,

Write an custom script that can run the rest / curl / splunk search from the backend and get the results and play with it.

cheers!

V
0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...