Scripted Alerts
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Scripted Alerts
Configure scripted alerts with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
Script options
Your alert can trigger a shell script, which must be located in $SPLUNK_HOME/bin/scripts. Use the following attribute/value pairs:
action_script = <string>
- Your search can trigger a shell script.
- Specify the name of the shell script to run.
- Place the script in $SPLUNK_HOME/bin/scripts.
- Command line arguments passed to the script are:
- $0 = script name.
- $1 = number of events returned.
- $2 = search terms.
- $3 = fully qualified query string.
- $4 = name of saved splunk.
- $5 = trigger reason (i.e. "The number of events was greater than 1").
- $6 = link to saved search.
- $7 = This option has been deprecated and is no longer used as of Splunk 3.4.6.
- $8 = file where the results for this search are stored (contains raw results).
Note: If there are no saved tags, $7 becomes the name of the file containing the search results ($8). This note is applicable to Splunk versions 3.3-3.5
If you want to run a script written in a different language (e.g. Perl, Python, VBScript) you must specify the interpreter you want Splunk to use in the first line of your script, following the #!. For example:
to run a Perl script:
---- myscript.pl ---- #!/path/to/perl ...... ......
to use Python to interpret the script file:
---- myscript.py ----- #!/path/to/python ..... .....
For an example on how scripts can be configured to work with alerts, see send SNMP traps.
Example
You can configure Splunk to send alerts to syslog. This is useful if you already have syslog set up to send alerts to other applications, and you want Splunk's alerts to be included.
Check the Splunk Wiki for information about the best practices for using UDP when configuring Syslog input.
Write a script that calls logger (or any other program that writes to syslog). Your script can call any number of the variables your alert returns.
Create the following script and make it executable:
logger $5
Put your script in $SPLUNK_HOME/bin/scripts.
Now write an alert that calls your script. See Set Up Alerts for information on alert configuration. Configure the alert to call your script by specifying the path in the Trigger shell script field of the alert.
Edit your saved search to call the script. If your script is in $SPLUNK_HOME/bin/scripts you don't have to specify the full path.
This logs the trigger reason to syslog:
Aug 15 15:01:40 localhost logger: Saved Search [j_myadmin]: The number of events(65) was greater than 10
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.