Writing a scripted alert action to process results
Another option for interfacing with an external system is to run a custom Alert action using the results of a saved search. Splunk provides a simple example in $SPLUNK_HOME/bin/scripts/echo.sh. Let's try it out and see what we get, using the following steps:
- Create a saved search. For this test, do something cheap, such as the following:
index=_internal | head 100 | stats count by sourcetype
- Schedule the search to run at some point in the future. I set it to run every five minutes, just for this test.
- Enable Run a script and type in
echo.sh.
The script places the output into $SPLUNK_HOME/bin/scripts/echo_output.txt ...
Get Implementing Splunk: Big Data Reporting and Development for Operational Intelligence now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
