Alerting

Can I manually trigger a scripted alert

chris
Motivator

Is it somehow possible to trigger a scripted alert manually?

We have some alerts that usually run once a day, sometimes there is a need to run the scripted alert more often ( to either manually check if a situation occured based on some information the users receive or to simply check whether the shell script is still working correctly). I know, that I can change the alert to run every minute in the manager and then change it back to what the intervall was. If I just click on the 'run' action in the manager only the search is run but the shell script (or email-action) is not triggered. Is there a way to do this?

Chris

1 Solution

Lowell
Super Champion

You have to somehow pass triggerActions=1 when the search job get's created. Otherwise, as you've seen, the search will run as normal, but without causing any of the triggered actions (like running a script, emailing, or summary indexing) to occur. Normally, this is what you want. For example, you wouldn't want to accidentally click "run" on a summary index generating search that would end up doubling up your summary index data. In the case, of sending an email though, that would be nice to be able to do.

I don't know a way to do this from within the user interface, but I've done it from some python code before, here's a stripped down version that works on my system. Obviously, you'll need to update it to match your parameters. You can change "now" to any epoch time, to re-test at a specific time after tweaking the alert's logic.

import splunk.auth
import splunk.saved
import time

sessionKey  = splunk.auth.getSessionKey("admin", "changeme")
now = time.time()

job = splunk.saved.dispatchSavedSearch("Savesearch name", sessionKey=sessionKey, namespace="App", owner="admin", triggerActions=1, now=now)

The REST API docs also show an example using curl:

curl -k -u admin:pass \
  https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch \
  -d trigger_actions=1

View solution in original post

Lowell
Super Champion

You have to somehow pass triggerActions=1 when the search job get's created. Otherwise, as you've seen, the search will run as normal, but without causing any of the triggered actions (like running a script, emailing, or summary indexing) to occur. Normally, this is what you want. For example, you wouldn't want to accidentally click "run" on a summary index generating search that would end up doubling up your summary index data. In the case, of sending an email though, that would be nice to be able to do.

I don't know a way to do this from within the user interface, but I've done it from some python code before, here's a stripped down version that works on my system. Obviously, you'll need to update it to match your parameters. You can change "now" to any epoch time, to re-test at a specific time after tweaking the alert's logic.

import splunk.auth
import splunk.saved
import time

sessionKey  = splunk.auth.getSessionKey("admin", "changeme")
now = time.time()

job = splunk.saved.dispatchSavedSearch("Savesearch name", sessionKey=sessionKey, namespace="App", owner="admin", triggerActions=1, now=now)

The REST API docs also show an example using curl:

curl -k -u admin:pass \
  https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch \
  -d trigger_actions=1
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...