I config a scripted alert, then i put the myalert.py into $SPLUNK_HOME\bin\scripts. But when alert is trigger, the script execute error(in splunkd.log):
ERROR ScriptRunner - stderr from 'C:\Splunk\etc\apps\search\bin\runshellscript.py': ImportError: No module named site
Splunk Version is 4.3.0
Why?
Thanks lots.
SavedSearch:
[WebServerMini-alert-script]
action.email.inline = 1
action.email.reportServerEnabled = 0
action.script = 1
action.script.filename = myalert.py
alert.digest_mode = True
alert.severity = 4
alert.suppress = 0
alert.suppress.period = 5s
alert.track = 1
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = -1m@m
dispatch.latest_time = @m
displayview = flashtimeline
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = flashtimeline
search = index=fschangemonitor sourcetype="WINSERVER1-Web-Mini"
vsid = gz0wf600
myalert.py:
import sys
f = open("argv.txt", "w")
for var in sys.argv:
f.write(var + "\n")
f.close()
I solved the question.
I put the myalert.py into the %SPLUNK_HOME%\etc\app\search\bin directory, then edit the %SPLUNK_HOME%\etc\app\search\default\commands.conf, add the following section:
[myalert]
filename = myalert.py
then the script running correct where the alert is triggered.