Another option to interface with an external system is to run a custom alert action using the results of a saved search. Splunk provides a simple example in $SPLUNK_HOME/bin/scripts/echo.sh. Let's try it out and see what we get using the following steps:
- Create a saved search. For this test, do something cheap, such as writing the following code:
index=_internal | head 100 | stats count by sourcetype
- Schedule the search to run at a point in the future. I set it to run every five minutes just for this test.
- Enable Run a script and type in echo.sh:
The script places the output into $SPLUNK_HOME/bin/scripts/echo_output.txt.
In my case, the output is as follows:
'/opt/splunk/bin/scripts/echo.sh' '4' 'index=_internal | head 100 | stats count by sourcetype' 'index=_internal | head 100 ...
