
Overview
- Create a saved search in Splunk.
- Upload the tweet.sh script to your Splunk server.
- Schedule your saved search in Splunk Manager.
Steps
- Copy the script below to your Splunk server under $SPLUNK_HOME/bin/scripts/, replace TWITTERUSER and TWITTERPASS with your Twitter username and password respectively.
#!/bin/sh
# tweet.sh - Post Splunk saved search result to Twitter.
# Greg Albrecht (gba@splunk.com)
# (c)2010 Splunk, Inc.
if [ -f "$9" ]; then
export IFS=$'\n'
for MSG in $(gzcat $9 | cut -d , -f 5|grep -v "_raw"|sed s/^\"//g|sed s/\"$//g); do \
/usr/local/bin/curl --basic --user "TWITTERUSER:TWITTERPASS" --data-ascii "status=$MSG" http://twitter.com/statuses/update.json \
;done
fi - Login to your Splunk instance and navigate to the search app
- Create a search for the terms events you want to match and click Actions > Save search…
- Under Schedule and alert select a scheduled time to run the search.
- Under Alert conditions select the conditions you’d like to trigger the Twitter post.
- Under Alert conditions select Trigger shell script and enter twitter.sh
- Click Save.
- That’s it!
----------------------------------------------------
Thanks!
Greg Albrecht