I want to run a script after a particular alert triggers, taking server names as input from the Splunk alert result.
The alerts result is in bellow format:
time server LoadFailed date
I want to take server list from here and execute a command on all the servers listed .
I have gone through http://docs.splunk.com/Documentation/Splunk/5.0/Alert/Configuringscriptedalerts document , but couldn't implement much .
Just could get a idea that may we we need to open file result and grep the argument .
Please help with the script.
Thanks
AD
A really quick and dirty method is to do this in Bash - if nothing else it will help you get to grips with how the process works.
my_custom_action.sh
#!/bin/bash
ResultsList=$(cat $8|gzip -d|tail -n +2)
echo $ResultsList > output.txt
Taking each command as it comes:
ResultsList
will contain the results of your Splunk search
cat $8
when splunk executes your script the $8 parameter will be the path of the search results on your server. Cat will output the contents of the file and pass it to:
gzip -d
- this will decompress the results to make them readable, and then:
tail -n +2
- will ignore the top line which is the header, and start reading from line 2!
echo $ResultsList
will write the results of the above into output.txt for you to review.
Hi @DAnkita,
Which version of splunk version are you running ? Because Scripted Alerts are deprecated since Splunk 6.3 and this feature is replaced with Custom Alert Action so I'll recommend you to create custom alert action based on your requirement if you are running Splunk Version 6.3 or higher. In given Custom Alert Action link, splunk also provided 2-3 example so you refer those as well.
I hope this helps.
Thanks,
Harshil
Hi Harshil ,
Thanks for your reply , I m using Splunkweb7 currently .
My main problem is how can we take the server list as a input , if you can help .
In Custom Alert action when you fetch payload
, you will able to see results_file
which generates when your schedule search will run and it will store output value in csv format but file will be in compressed .gz
format.
So high level steps in your script for Custom Alert Action
1.) Fetch results_file
from payload
2.) zcat results_file
and find count of rows without header and store it in variable
3.) Run for loop with count which you found in Step 2 and read rows one by one and fetch server from that row value and do necessary action based on your requirement.