Getting Data In

Scripted-alert on Windows instance cannot execute exe

klee310
Communicator

Hi, I'm trying to setup a simple (proof-of-concept) popup window on my Windows Server 2k8 machine, with Splunk alert-trigger. I have tried the "echo.bat" sample from here already.

My popup window (for now) is a simple .exe command which watches for all command-line arguments and appends them to a textbox on the popup. The executable is written in .NET 4.0.

At the moment, I an using the | runshellscript command to initiate the script (echo.bat)

I can run the echo.bat just fine, and the results are as expected. Even if I inserted the line at the top to run my .exe file, the results are correctly outputted to the echo_output.txt file as expected; however there is no popup window. I can run the popup window by calling the command directly - just not with the | runshellcript.

Am I missing something here? Maybe I don't even need to write a exe command if there is some better way of doing this with Splunk. Any help is greatly appreciated.

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Are you trying to pop up a Window on your machine from a scripted alert? It's possible that it is happening, but is simply happening on the Splunk process' desktop, not one you're looking at. It would be expected that any programs that launch and open a window are going to open them in a desktop owned by the Splunkd service process, not by any logged-in user (and logging in as the same user would not and should not be expected to let you see it either).

If you're trying to do this, the right way is to use the scripted alert to send a signal, message, trap, email, or other mechanism to another process that is able to display things on your interactive desktop.

View solution in original post

jlvix1
Communicator

This won't work, and this is the reason why ...

Splunk service runs as "SYSTEM" for example, the script is run in this context, beneath splunkd.exe...

By default, the splunkd.exe service definition does not have the desktop interaction privilege.

Even if the privilege is assigned, you would possibly get a desktop alert from windows saying that the system account has something to show you, when you switch to that desktop it is extremely simplistic, no taskbar, no desktop icons, low resolution and isolated, it's hard work getting services to interact via desktop properly anyway and messaging between applications is a favorable alternative - using the Splunk REST API is a possibility?

Say that... if you changed the Splunk service identity to be your account, it will run in a separate session and probably wont alert you like the system account does anyway.

Services are very much behind the scenes, we just use the alerting mechanism, if you use outlook then knock up some rules or a VBA form to respond to the email alerts.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Are you trying to pop up a Window on your machine from a scripted alert? It's possible that it is happening, but is simply happening on the Splunk process' desktop, not one you're looking at. It would be expected that any programs that launch and open a window are going to open them in a desktop owned by the Splunkd service process, not by any logged-in user (and logging in as the same user would not and should not be expected to let you see it either).

If you're trying to do this, the right way is to use the scripted alert to send a signal, message, trap, email, or other mechanism to another process that is able to display things on your interactive desktop.

klee310
Communicator

hmm... i think i understand what you're trying to say.

... something like Windows services are not interactive...

what [type of mechanism] would you suggest should I send to another process? is there something in python (scripts) to write a message to MSMQ? sorry, I'm very new to scripting...

From my understanding, you are referring to IPC (Inter-Process-Communication)... in that case, maybe I can try to do something in my Windows exe to try and locate the interactive desktop before showing itself.

I'll see what I can come up with. Thanks for your help gkanapathy!

0 Karma

gpullis
Communicator

Maybe try msg.exe like in this answer?

0 Karma

klee310
Communicator

i've tried that. as a matter of fact, I posted this question after I've read that post... so no, i'm afraid this doesn't answer my question. But thanks for trying.

0 Karma

klee310
Communicator

by the way, to run the echo.bat script from the search bar, this is what type:

| runshellscript echo.bat 1 kelvin search none none none none 10

... and the output is....

"C:\Program Files\Splunk\bin\scripts\echo.bat", "1", "kelvin", "search", "none", "none", "none", "none", "C:\Program Files\Splunk\var\run\splunk\dispatch\10\results.csv.gz"

Fri 05/27/2011

11:13 AM


0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...