4 Replies Latest reply on May 18, 2018 7:46 AM by faizan_123

    Alert Action using powershell script




      Looking to create a rule for syslog & trap events in SW NPM with an alert action "execute an external program" that calls a powershell script that writes a json formatted event into an http event collector in Splunk.


      • The script works fine from the command line of SW NPM but once I add it to a rule it fails to inject into splunk when the alert rule fires.
      • The powershell script must be called with the -file option.
      • Other actions (email or another "perl" script) fires successfully
      • Example of Alert "Action Program to execute":
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\scriptlocationhere\scriptname.ps1



        • Re: Alert Action using powershell script

          Hi there


          so can you send screen shots of your alert? so we can see what your doing please?

            • Re: Alert Action using powershell script


              Thanks for your reply.  Just to be clear, the existing syslog or trap rules work fine. I'm looking to replace existing perl script with a powershell script.

              The powershell script works fine outside of the alert rule (from a powershell prompt)



              Example of Alert Action to execute a program.

              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\scriptlocationhere\scriptname.ps1 -AG <GroupName> -CI <ConfigItemName> -SE <Severity> -ME "<Alert Message content from NPM ${MESSAGE}>" -HN <Hostname>



              Example PS script...





              param (










              if(!$AG){$AG = $null}

              if(!$CI){$CI = $null}

              if(!$SE){$SE = $null}

              if(!$ME){$ME = $null}

              if(!$HN){$HN = $null}

              if(!$TO){$TO = $null}



              [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

              $response = ""

              $formatteddate = "{0:MM/dd/yyyy hh:mm:sstt zzz}" -f (Get-Date)

              $arraySeverity = 'INFO','WARN','ERROR'

              $severity = $arraySeverity[(Get-Random -Maximum ([array]$arraySeverity).count)]



              $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

              $headers.Add("Authorization", '<KeyGoesHere>')


              $body = '{

                        "host":"' + $HN + '",




                           "message":"' + $ME + '",

                           "severity":"' + $SE + '",

                           "user": "' + $AG +'",

                           "date":"' + $formatteddate + '",

                           "CI":"' + $CI + '",

                           "TO":"' + $TO + '"




              $splunkserver = "<ServerNameGoesHere>"

              $response = Invoke-RestMethod -Uri $splunkserver -Method Post -Headers $headers -Body $body

              "Code:'" + $response.code + "' text:'"+ $response.text + "'"



              #Add -AG etc tags to command line parameters.  If null, pass null.

            • Re: Alert Action using powershell script

              FYI.....Resolved this issue by using "powershell.exe -ExecutionPolicy Unrestricted -NoProfile  -File <scriptname>