Writing a scripted alert action to process results

Another option to interface with an external system is to run a custom alert action using the results of a saved search. Splunk provides a simple example in $SPLUNK_HOME/bin/scripts/echo.sh. Let's try it out and see what we get using the following steps:

  1. Create a saved search. For this test, lets do something simple and easy such as writing the following code:
    index=_internal | head 100 | stats count by sourcetype
  2. Schedule the search to run at a point in the future. I set it to run every five minutes just for this test.
  3. Enable Run a script and type in echo.sh:
    Writing a scripted alert action to process results

The script places the output into $SPLUNK_HOME/bin/scripts/echo_output.txt ...

Get Implementing Splunk - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.