Alerting

Alert script and severity

nicco
Explorer

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurescriptedalerts

says that

The command line arguments that Splunk passes to the script are:

$0 = Script name
$1 = Number of events returned
$2 = Search terms
$3 = Fully qualified query string
$4 = Name of saved search
$5 = Trigger reason (i.e. "The number of events was greater than 1")
$6 = Browser URL to view the saved search
$7 = This option has been deprecated and is no longer used
$8 = File where the results for this search are stored (contains raw results)

So, I've got a couple of snippets of info, but I want to send the severity that I set in splunk to be passed (if it can't what's the point of having that field, right?

Is there a way to pass the severity along to the script? If I put some arguments after the script will they be passed as $9 ??

FYI, I'm passing this to a bash script that simply calls zensedevent.

Thanks.

Tags (2)

enno
Explorer

Another approach I've been using is to simply use a small number of alert scripts. The severity of the alert is encoded in the name of the script, e.g. alert2mgr_low, alert2mgr_medium and so on.

For the script, I have one common script which examines its name, the $0 argument, looking for 'low', 'medium', 'high', etc and encodes the appropriate severity into our alert manager. The only cost then is a bunch of links from the various names to the one script.

0 Karma

Genti
Splunk Employee
Splunk Employee

So, i asked the dev for this particular piece of code, and it can be done.

1 - Need to modify alert_actions.conf to pass a 9th argument as

$alert.severity$

get the name from savedsearches.conf:

> alert.severity = <int>
> * Sets the alert severity level.
> * Valid values are: 1-debug, 2-info, 3-warn, 4-error, 5-severe, 6-fatal
> * Defaults to 3.

2 - you need to modify runshellscript to account for this 9th argument.

Im no coder, but a quick look tells me at least one thing you need to change. From the runshellscript.py:

    # make sure cmd_args has length of 9
    cmd_args    = cmd_args[:9]
    for i in xrange(9-len(cmd_args)):
       cmd_args.append("")
    cmd_args[0] = script
    cmd_args[8] = path

Might want to test it out before you change it..

Genti
Splunk Employee
Splunk Employee

ive had people successfully do it with the above instructions.

0 Karma

dcparker
Path Finder

Did you have any luck with this? I am trying to do the same thing and have gotten stuck.

0 Karma

nicco
Explorer

No. I guess I'll just have to have a few scripts for the various severity levels.

Here's the answer:

http://docs.splunk.com/Documentation/Splunk/4.2.3/user/SchedulingSavedSearches

Severity labels are informational in purpose and have no additional functionality. You can use them to quickly pick out important alerts from the alert listing on the Alerts page, which you can get to by clicking the Alerts link in the upper right-hand corner of the Splunk interface.

Severity labels are informational in purpose and have no additional functionality. You can use them to quickly pick out important alerts from the alert listing on the Alerts page, which you can get to by clicking the Alerts link in the upper right-hand corner of the Splunk interface.

And... If you try to add additional arguments they don't get passed as arguments, but as the script name itself:

10-18-2011 00:03:50.562 +0000 ERROR script - command="runshellscript", Cannot find script at /opt/splunk/bin/scripts/alert_splunk_troubleshoot.sh foofoofoo

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...