runshellscript
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
runshellscript
This command is experimental and not currently supported by Splunk.
Synopsis
Internal command used to execute scripted alerts.
Syntax
runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <search-id>
Description
Internal command used to execute scripted alerts. The script file needs to be located in either $SPLUNK_HOME/etc/system/bin/scripts OR $SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The search ID is used to create a path to the search's results. All other arguments are passed to the script (unvalidated) as follows:
- $0 = The filename of the script.
- $1 = The result count, or number of events returned.
- $2 = The search terms.
- $3 = The fully qualified query string.
- $4 = The name of the saved search in Splunk.
- $5 = The description or trigger reason (i.e. "The number of events was greater than 1").
- $6 = The link to saved search results.
- $7 = DEPRECATED - empty string argument.
- $8 = The search ID, or file where the results for this search are stored (contains raw results).
For more information, check out this excellent topic on troubleshooting alert scripts on the Splunk Community Wiki and see "Configure scripted alerts" in the Admin Manual.
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the runshellscript command.
This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.
I get no results when I run this command. I've tried using just the script name and tried using the full path. Same result.