Alerting

Change scripted alert script location?

Jason
Motivator

In trying to package up our app into its own app folder, we ran into an issue where it seems Splunk won't accept .. / \ in the script path, and will only look in $SPLUNK_HOME/bin/scripts. This seems oddly contrary to everything else in Splunk, which can be neatly packaged in an app.

Is there a way to allow alert scripts to reside in $SPLUNK_HOME/etc/ourapp/bin and still be run?

Tags (2)
1 Solution

ziegfried
Influencer

I've tried it once and wasn't able to get it working outside of bin/scripts. There's probably no way to this this right now. I've filed an ER back then. You should do this too if you want this to be available sometime in Splunk.

View solution in original post

agent613
Explorer

This DOES work, but the documentation is wrong.

Contrary to what is stated here: http://wiki.splunk.com/Community:TroubleshootingAlertScripts and in the README file for each app, you need to put it in etc/apps//bin/scripts.

Then, in your alert, don't specify any path, just the name of the script.

ruman
Splunk Employee
Splunk Employee

hmm. this doesn't work for me in splunk 6.0. even with a default.meta that exports everything.

according to http://wiki.splunk.com/Community:TroubleshootingAlertScripts, the script in the app will only be accessible by saved searches in the app's context.

i wonder if this used to work but was broken in 6.0? December 16 2011 would have been splunk 4.2 IIRC...maybe i'll downgrade and see if it works there...

huister
New Member

Thanks agent613 this worked!
I'm trying to upvote you but I don't have enough points so I'll repeat what you said and add a bit.

The script must be in the /bin/scripts folder of the app.

So for alerts in the search app I put the script I want to run(DoSomethingOnAlert.sh) in

/opt/splunk/etc/apps/search/bin/scripts/

Under a saved search in the alert actions section under
"File name of shell script to run"
you can only put the filename WITHOUT path
(Otherwise you will get the "script location cannot contain" error message in /opt/splunk/var/log/splunk/splunkd.log)
so in here i have only the script name:

DoSomethingOnAlert.sh

0 Karma

ziegfried
Influencer

I've tried it once and wasn't able to get it working outside of bin/scripts. There's probably no way to this this right now. I've filed an ER back then. You should do this too if you want this to be available sometime in Splunk.

gkanapathy
Splunk Employee
Splunk Employee

I believe you can place them in $SPLUNK_HOME/etc/ourapp/bin/scripts

0 Karma

Jason
Motivator

Doesn't work. Splunk complained if I tried to put a full path in (ERROR script - Script location cannot contain "..", "/", or "\"), or just place the script in /etc/ourapp/bin/ or etc/ourapp/bin/scripts (ERROR script - Cannot find script at /opt/splunk/bin/scripts/script.sh) - other ideas?

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...