Run a script on UF from SHC

ishaanshekhar · ‎05-09-2016

Hi,

I have a few scheduled alerts setup on my SHC. The output is the list of hosts (UFs) that fall in the alert criteria.

I need my alert to also run a script on all the remote hosts (UFs) that fall in the alert criteria.

I understand we can have a script on the local SHC to call the remote script on UF using ssh. But I dont want to follow that route. I wish to have a script in an app on UF and have it run by SHC.

Is that possible directly? or through a rest endpoint? or any other technique?

Thanks
Ishaan

jkat54 · ‎05-09-2016

Im afraid this exact requirement SHC to UF is not possible without the use of ssh or another command and control technique/software.

What if you put a script on the UF that queried the SHC, runs a search or reads a saved search/report, determines if the UF itself is in the list, and then executes the code. Make the script run on the UF every hour, etc.

ishaanshekhar · ‎05-10-2016

Thanks @jkat54 .... but my irony is the actual data for the calculation of 'alert' condition is coming from the UFs themselves to the SHC.

If I were to put a script on the UFs to check on the SHC through REST endpoint, it would be easier to put a script that would check the data in question locally on UF rather than on SHC.

I was actually hoping for a REST end point to run a script in an app on UF, which I could call from the SHC.

jkat54 · ‎05-10-2016

What is the criteria for your alert?

ishaanshekhar · ‎05-10-2016

Things that are local to a UF server... such as disk space, process hung, memory, cpu increase etc.

The date comes from the UF to SHC, and the SHC is required to trigger a script on the UF for corrective action in case of threshold is met for any criteria.

Run a script on UF from SHC

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes