Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

runshellscript

Description

For Splunk Enterprise deployments, executes scripted alerts. This command is not supported as a search command.

Syntax

runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <results_file>

Usage

The script file needs to be located in either $SPLUNK_HOME/etc/system/bin/scripts OR $SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The following table describes the arguments passed to the script. These arguments are not validated.

Argument Description
$0 The filename of the script.
$1 The result count, or number of events returned.
$2 The search terms.
$3 The fully qualified query string.
$4 The name of the saved search in Splunk.
$5 The description or trigger reason. For example, "The number of events was greater than 1."
$6 The link to saved search results.
$7 DEPRECATED - empty string argument.
$8 The path to the results file, results.csv. The results file contains raw results.

See also

script

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the runshellscript command.

PREVIOUS
noop
  NEXT
sendalert

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Comments

"$0 = The filename of the script." Is not actually passed to the script. E.g. in perl, $ARGV[0] is the result count .. $ARGV[7] is the results file. In bash, $0 is the currently executing script name, so the indices shown here are correct.

Afirth
November 4, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters