Alerting

Alerts and scripts with parameters

phoenixdigital
Builder

Hi All,

I am trying to get alerts to call a script with some parameters. I am aware splunk adds 8 or 9 parameters but I would also like to add my own as well which I will change from alert to alert. All alerts will use a common script and it's behaviour will be slightly different depending on the parameters passed.

The script lives in $SPLUNK_HOME/bin/scripts/ looks like this

#!/opt/splunk/bin/python

webPath = "/tmp/"
fileBasename = "-signal.txt"

propsalData = "proposal=" + sys.argv[2]
outputFilename = webPath + sys.argv[1] + fileBasename
output = open(outputFilename,'wb')
output.write(propsalData)
output.close()

As you can see the first parameter is prepended to the name of the file to create. The second parameter is put inside the text file.

For the life of me I can't seem to add these parameters in both the GUI and from a conf file.

In the GUI I have tried each of these in the script textfield


create-station-signal-file.py paramTest 34
'create-station-signal-file.py paramTest 34'
"create-station-signal-file.py paramTest 34"

All give an error like below in splunkd.log

05-27-2011 14:12:24.105 +1000 ERROR script - command="runshellscript", Cannot find script at /opt/splunk/bin/scripts/create-station-signal-file.py paramTest 34

When editting in the savedsearches.conf file directly I made them look like this


action.script.filename = create-station-signal-file.py paramTest 34
action.script.filename = "create-station-signal-file.py paramTest 34"
action.script.filename = 'create-station-signal-file.py paramTest 34'

same errors as above.

Does anyone know if this is possible to pass some parameters in?

If not thats a real pain as I have to take this one simple script and replicate it 20+ times for each alert. Which is even worse if I decide to modify the script slightly in the future.

Thoughts?

Also I did test a simplified no parameters required script and it worked so incase you are thinking python scripts wont work they do 🙂

Tags (3)
1 Solution

mw
Splunk Employee
Splunk Employee

I would imagine that Splunk is handling the script as a single quoted name, possibly so that you can have a script with spaces in the name. I imagine that your desire is to keep the script logic common to everything, and located in a single script -- that could be handled differently: make a small script for each case which simply passes the proper parameters to the main script, and use that script instead e.g.:

alert1.sh

#!/bin/sh
create-station-signal-file.py paramTest 34

Or you could have the main script contain logic to determine the proper parameters based on the search name or some other value. Or you could do something in between those: make soft links to the script with different names, and then within the script do something like:

if sys.argv[0] is 'alert1.py':
  params = ('paramTest', '34')

View solution in original post

0 Karma

SantoshBansode
Explorer

It's limitation of the Splunk, there is no way to send the parameters.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Not really.

Back in the days of this question, the alert script was passed the path of a results .csv.gz, the script could pull anything it wanted from there.

Nowadays, custom alert actions can receive any parameter you like: http://docs.splunk.com/Documentation/Splunk/6.4.1/AdvancedDev/ModAlertsIntro

0 Karma

rapmancz
Explorer

do you have any practical example? Maybe I am getting old but I do not understand the procedure how to achieve to run final script/batch with something line myscript.bat $result.field1 $result.field2

0 Karma

jayannah
Builder

I think the question here is, how to pass our own values (dynamically derived from event) to Script (phython/perl/shell) as command line arguments?

phoenixdigital
Builder

I was trying to pass in fixed values. Which also seems to be difficult as well

0 Karma

mw
Splunk Employee
Splunk Employee

I would imagine that Splunk is handling the script as a single quoted name, possibly so that you can have a script with spaces in the name. I imagine that your desire is to keep the script logic common to everything, and located in a single script -- that could be handled differently: make a small script for each case which simply passes the proper parameters to the main script, and use that script instead e.g.:

alert1.sh

#!/bin/sh
create-station-signal-file.py paramTest 34

Or you could have the main script contain logic to determine the proper parameters based on the search name or some other value. Or you could do something in between those: make soft links to the script with different names, and then within the script do something like:

if sys.argv[0] is 'alert1.py':
  params = ('paramTest', '34')
0 Karma

phoenixdigital
Builder

Thanks for the response I was worried you would say that.

I had thought of the softlink option which would work but would not be ideal

It's a shame because the scripted inputs behave in this manner. Would be nice if they were consistent 😉

0 Karma

SantoshBansode
Explorer

Is there any way where I can send the parameter from the search result?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...