Skip to main content
Sumo Logic

Script Action

A script action passes the results of a scheduled search to a script or program that runs on a machine with an installed collector. The results are temporarily saved to the filesystem in JSON format at:


This fully-qualified path is passed as the first parameter to the script or program you configure in the script action. Anything printed to STDOUT will be collected and searchable.

Step 1. Create script

Create the script and save it to a folder on the installed collector where you will set up the script action. See the example below.

Step 2. Set up script action

You can set up a script action using the Sumo web app, described in Option A below, or by specifying it in a JSON file, described in Option B.

Option A. Set up script action using UI

  1. In Sumo Logic select Manage Data > Collection > Collection.
  2. Find the name of the installed collector to which want to add the script action and select Add > Add Script Action.
  3. Name. Enter a name to display for the script action.
  4. Description. Optional.
  5. Specify a timeout for your command. You can optionally set a timeout for script execution. Setting a timeout ensures that a script is killed, making sure that resources aren't fully consumed. If you set a timeout, make sure to select a generous amount of time to make sure that the script has enough time to finish running.
  6. Command. Choose the type of command you're going to use.
  7. Script. Enter the path to the script. Do not enter the contents of the script. (When the collector executes the script, it will pass the full path to a file containing the search results that triggered the script action as the first and only parameter.)
  8. Working Directory. Specify a directory if you need your script action to execute in a different directory than the collector's installation directory.
  9. Click Save.

Option B. Set up script action in JSON file

To define a script action in a JSON file, define the following options:

  • name.  Name of the action.
  • commands. Type of command. See the previous section for examples.
  • file. Path to the script.
  • workingDir. Directory in which you want to run the script.
  • timeout. Timeout for script execution, in milliseconds.
  • sourceType. Set to "alert"

For more information about configuring sources in JSON files, see Use JSON to Configure Sources.

Step 3. Set up a scheduled search

After the script action has been added to your collector, you can create a scheduled search. The search name will appear in the output file, along with the query.

The first time the scheduled search executes, output files will begin to be generated.

  1. Save a search
  2. Click Schedule this search
  3. For all configuration options, see Schedule a Search
  4. Alert Type. Select Script Action.
  5. Script Action. Select the name of the script action (displayed with its collector's name) from the menu.
  6. Click Save.


This example shows how to set up a script and configure a script action.

  1. Create a shell script, with the following contents:#!/bin/bash
    num=`grep -oi  "WARN" $1 | wc -l`
    echo "The number of \"WARN\" in the scheduled search result is $num"​

    This script reads the output file of the scheduled search, counts the number of the appearances of keyword “WARN”, and then prints out the resulting number. For example, if the keyword “WARN” appears 10 times in the scheduled search results, the script prints the following:

    The number of "WARN" in the scheduled search result is 10.
  2. Set the shell script as an executable file:
    chmod +x
  3. Select Manage Data > Collection > Collection.
  4. Find the name of the installed collector to which you want to add the script action and select Add > Add Script Action.
  5. Configure the script action as described in Step 2 above.
  6. Define a search and click Save As
  7. Click Schedule this search, and complete the search configuration. Select "Script Action" as the Alert Type and select the script that you created. Click Save.

The collector creates an alerts directory in the working directory to store the results of the search, as in this example:

When the collector gets the result of the scheduled search, it runs the script. The output of the script is collected by the script action, and you can run a query to get the results.

For this example, the collector runs the following system command:

/bin/sh /Users/yluo/Development/sumo/collector/ /Users/yluo/Development/sumo/collector/alerts/000000000ABA1879-02-19-12-08-19-5.txt



is the shell script defined earlier for processing the data, and


is the output file of the scheduled search.

If you run the following query:




is the name of the script action, the output of the script is displayed.

About the search results file

The Sumo Logic file is the result of a scheduled search written in JSON format. It includes the results of the scheduled search, as well as information about the time range of the search. By default, the files are stored in the collector installation directory. Every three hours the files are purged.

A maximum of 10,000 messages are included in the file. Each message in the search results is marked with the collector's metadata and a time stamp. At the end of each file you'll find information about the scheduled search:

  1. End of scheduled search (Unix timestamp)
  2. Beginning time of scheduled search.
  3. User account.
  4. Name of the scheduled search (reflects the name saved with the search; can be modified)
  5. Query saved as the scheduled search.
  6. Click the URL to view the results of the search in a web page.
  7. Number of messages.