TIPS & TRICKS

Howto post Splunk saved search results to Twitter

Overview

  • Create a saved search in Splunk.
  • Upload the tweet.sh script to your Splunk server.
  • Schedule your saved search in Splunk Manager.

Steps

  1. Copy the script below to your Splunk server under $SPLUNK_HOME/bin/scripts/, replace TWITTERUSER and TWITTERPASS with your Twitter username and password respectively.
    #!/bin/sh
    # tweet.sh - Post Splunk saved search result to Twitter.
    # Greg Albrecht (gba@splunk.com)
    # (c)2010 Splunk, Inc.
    if [ -f "$9" ]; then
    export IFS=$'\n'
    for MSG in $(gzcat $9 | cut -d , -f 5|grep -v "_raw"|sed s/^\"//g|sed s/\"$//g); do \
    /usr/local/bin/curl --basic --user "TWITTERUSER:TWITTERPASS" --data-ascii "status=$MSG" http://twitter.com/statuses/update.json \
    ;done
    fi
  2. Login to your Splunk instance and navigate to the search app
  3. Create a search for the terms events you want to match and click Actions > Save search…
  4. Under Schedule and alert select a scheduled time to run the search.
  5. Under Alert conditions select the conditions you’d like to trigger the Twitter post.
  6. Under Alert conditions select Trigger shell script and enter twitter.sh
  7. Click Save.
  8. That’s it!

----------------------------------------------------
Thanks!
Greg Albrecht

Splunk
Posted by

Splunk