runshellscript
The runshellscript
command is an internal, unsupported, experimental command. See
About internal commands.
Description
For Splunk Enterprise deployments, executes scripted alerts. This command is not supported as a search command.
This command is considered risky because, if used incorrectly, it can pose a security risk or potentially lose data when it runs. As a result, this command triggers SPL safeguards. See SPL safeguards for risky commands in Securing the Splunk Platform.
Syntax
runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <results_file> <search-ID> <results-file-path-deprecated-arg>
Usage
The script file needs to be located in either $SPLUNK_HOME/etc/system/bin/scripts
OR $SPLUNK_HOME/etc/apps/<app-name>/bin/scripts
. The following table describes the arguments passed to the script.
Argument | Description |
---|---|
$0 | The filename of the script. |
$1 | The result count, or number of events returned. |
$2 | The search terms. |
$3 | The fully qualified search string. |
$4 | The name of the saved search. |
$5 | The description or trigger reason. For example, "The number of events was greater than 1." |
$6 | The link to saved search results. |
$7 | DEPRECATED - empty string argument. |
$8 | The search ID. |
The runshellscript
command validates the $8
search ID argument on
- Whether the provided search ID exists.
- Whether you have permission to access the provided search ID.
See also
redistribute | About searches in the CLI |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!