Writing a scripted alert action to process results
Another option for interfacing with an external system is to run a custom Alert action using the results of a saved search. Splunk provides a simple example in $SPLUNK_HOME/bin/scripts/echo.sh. Let's try it out and see what we get, using the following steps:
Create a saved search. For this test, do something cheap, such as the following:
index=_internal | head 100 | stats count by sourcetype
Schedule the search to run at some point in the future. I set it to run every five minutes, just for this test.
Enable Run a script and type in
echo.sh.
The script places the output into $SPLUNK_HOME/bin/scripts/echo_output.txt. In my case, the output is as follows:
'/opt/splunk/bin/scripts/echo.sh' '4' 'index=_internal | head 100 | stats count by sourcetype' 'index=_internal | head 100 | stats count by sourcetype' 'testingAction' 'Saved Search [testingAction] always(4)' 'http://vlbmba.local:8000/app/search/@go?sid=scheduler__admin__search__testingAction_at_1352667600_2efa1666cc496da4...
