Skip to main content
Sumo Logic

Script Action

 

A Script Action passes the results of a scheduled search to a script or program that runs on a machine with an installed Collector. The results are temporarily saved to the filesystem in JSON format at:

<sumologic_collector_installation_path>/<collector_id>-<MM>-<dd>-<HH>-<mm>-<ss>-<sequence_id>

This fully-qualified path is passed as the first parameter to the script or program you configure in the Script Action. Anything printed to STDOUT will be collected and searchable.

Step 1. Set up the Script Action

  1. Create the script. See the example in this topic.
  2. In Sumo Logic select Manage Data > Collection > Collection (Manage > Collection in the classic UI).
  3. Find the name of the Installed Collector to which you'd like to add a Source and select Add > Add Script Action.
  4. Enter a name to display for the Script Action. Description is optional.
  5. If you'd like to specify a timeout for your script, select Specify a timeout for your command. Setting a timeout ensures that a script is killed, making sure that resources aren't fully consumed. If you choose to set a timeout, make sure to select a generous amount of time to make sure that the script has enough time to finish running.
  6. For Command, choose the type of command you're going to use.
  7. In the Script text box, type the script's path. The script itself cannot be typed in the Script text box. (When the Collector executes this script, it will pass the full path to a file containing the search results that triggered the Script Action as the first and only parameter.)
  8. For Working Directory, specify a directory if you need your script action to execute in a different directory than the Collector's install directory.
  9. Click Save.

Step 2. Set up a Scheduled Search

After the Script Action has been added to your Sumo Logic account, you can create a scheduled search. The Search name will appear in the output file, along with the query.

The first time the scheduled search executes, output files will begin to be generated.

  1. Save a search
  2. Click Schedule this search
  3. For all configuration options, see Schedule a Search
  4. Alert Type. Select Script Action.
  5. Script Action. Select the name of the Script Action (displayed with its Collector's name) from the menu.
  6. Click Save.

Example

This example shows how to set up a script and configure a Script Action.

  1. Create a shell script countNumberOfWarnings.sh, with the following contents:

#!/bin/bash
num=`grep -oi  "WARN" $1 | wc -l`
echo "The number of \"WARN\" in the scheduled search result is $num"​

This script reads the output file of the scheduled search, counts the number of the appearances of keyword “WARN”, and then prints out the resulting number. For example, if the keyword “WARN” appears 10 times in the scheduled search results, the script print the following:

The number of "WARN" in the scheduled search result is        10”.

  1. Set the shell script as an executable file:

chmod +x countNumberOfWarnings.sh

  1. Select Manage Data > Collection > Collection.
  2. Find the name of the installed Collector to which you'd like to add a Source and select Add > Add Script Action.
  3. Configure the Script Action as described previously in this topic.
  4. Define a search and click Save As. 
  5. Click Schedule this search, complete the search configuration. Select Alert Type for Script Action and select the script that you created. Click Save.

The Collector creates an alerts directory in the working directory to store the results of the search, as in this example:

When the Collector gets the result of the scheduled search, it runs the script defined by the customer to process the results. The output of the script is collected by the script action, and you can run a query to get the results.

For this example, the Collector runs the following system command:

/bin/sh /Users/yluo/Development/sumo/collector/countNumberOfWarnings.sh /Users/yluo/Development/sumo/collector/alerts/000000000ABA1879-02-19-12-08-19-5.txt

where

/Users/yluo/Development/sumo/collector/countNumberOfWarnings.sh 

is the shell script defined earlier for processing the data, and

/Users/yluo/Development/sumo/collector/alerts/000000000ABA1879-02-19-12-08-19-5.txt 

is the output file of the scheduled search.

If you run the following query:

_source=ScriptAction_Shell_Script

where

ScriptAction_Shell_Script

is the name of the script action, the output of the script is displayed.

Script action example

About the search results file

The Sumo Logic file is the result of a scheduled search written in JSON format. It includes the results of the scheduled search, as well as information about the time range of the search. By default, the files are stored in the Collector installation directory. Every three hours the files are purged.

A maximum of 10,000 messages are included in the file. Each message in the search results is marked with the Collector's metadata and a time stamp. At the end of each file you'll find information about the scheduled search:

  1. End of scheduled search (Unix timestamp)
  2. Beginning time of scheduled search.
  3. User account.
  4. Name of the scheduled search (reflects the name saved with the search; can be modified)
  5. Query saved as the scheduled search.
  6. Click the URL to view the results of the search in a web page.
  7. Number of messages.