Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Configure scripted alerts

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

Configure scripted alerts

Configure scripted alerts with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.


Script options

Your alert can trigger a shell script, which must be located in $SPLUNK_HOME/bin/scripts. Use the following attribute/value pairs:

action_script = <string>

  • Your search can trigger a shell script.
  • Specify the name of the shell script to run.
  • Place the script in $SPLUNK_HOME/bin/scripts.
  • Command line arguments passed to the script are:
  • $0 = script name.
  • $1 = number of events returned.
  • $2 = search terms.
  • $3 = fully qualified query string.
  • $4 = name of saved splunk.
  • $5 = trigger reason (i.e. "The number of events was greater than 1").
  • $6 = Browser URL to view the saved search.
  • $7 = a list of tags belonging to this saved search.
  • $8 = file where the results for this search are stored (contains raw results).

Note: If there are no saved tags, $7 becomes the name of the file containing the search results ($8).

If you want to run a script written in a different language (e.g. Perl, Python, VBScript) you must specify the interpreter you want Splunk to use in the first line of your script, following the #!. For example:

to run a Perl script: 

---- myscript.pl ----
#!/path/to/perl
......
......

to use Python to interpret the script file: 

---- myscript.py -----
#!/path/to/python
.....
.....

For an example on how scripts can be configured to work with alerts, see send SNMP traps.


Example

You can configure Splunk to send alerts to syslog. This is useful if you already have syslog set up to send alerts to other applications, and you want Splunk's alerts to be included.

Check the Splunk Wiki for information about the best practices for using UDP when configuring Syslog input.

Write a script that calls logger (or any other program that writes to syslog). Your script can call any number of the variables your alert returns.

Create the following script and make it executable: 

logger $5

Put your script in $SPLUNK_HOME/bin/scripts.

Now write an alert that calls your script. See Set Up Alerts for information on alert configuration. Configure the alert to call your script by specifying the path in the Trigger shell script field of the alert.

Edit your saved search to call the script. If your script is in $SPLUNK_HOME/bin/scripts you don't have to specify the full path.

Image:30_admin7_syslog-logit.jpg

This logs the trigger reason to syslog: 

Aug 15 15:01:40 localhost logger: Saved Search [j_myadmin]: The number of events(65) was greater than 10
Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Admin/Configurescriptedalerts"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.