Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

runshellscript

This command is experimental and not currently supported by Splunk.

Synopsis

Internal command used to execute scripted alerts.

Syntax

runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <search-id>

Description

Internal command used to execute scripted alerts. The script file needs to be located in either $SPLUNK_HOME/etc/system/bin/scripts OR $SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The search ID is used to create a path to the search's results. All other arguments are passed to the script (unvalidated) as follows:

  • $0 = The filename of the script.
  • $1 = The result count, or number of events returned.
  • $2 = The search terms.
  • $3 = The fully qualified query string.
  • $4 = The name of the saved search in Splunk.
  • $5 = The description or trigger reason (i.e. "The number of events was greater than 1").
  • $6 = The link to saved search results.
  • $7 = DEPRECATED - empty string argument.
  • $8 = The search ID, or file where the results for this search are stored (contains raw results).

For more information, check out this excellent topic on troubleshooting alert scripts on the Splunk Community Wiki and see "Configure scripted alerts" in the Admin Manual.

See also

script

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the runshellscript command.

PREVIOUS
reducepy
  NEXT
About CLI searches

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

I get no results when I run this command. I've tried using just the script name and tried using the full path. Same result.

Robkelley
May 16, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters