This command is experimental and not currently supported by Splunk.
Internal command used to execute scripted alerts.
runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <search-id>
Internal command used to execute scripted alerts. The script file needs to be located in either
$SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The search ID is used to create a path to the search's results. All other arguments are passed to the script (unvalidated) as follows:
- $0 = The filename of the script.
- $1 = The result count, or number of events returned.
- $2 = The search terms.
- $3 = The fully qualified query string.
- $4 = The name of the saved search in Splunk.
- $5 = The description or trigger reason (i.e. "The number of events was greater than 1").
- $6 = The link to saved search results.
- $7 = DEPRECATED - empty string argument.
- $8 = The search ID, or file where the results for this search are stored (contains raw results).
For more information, check out this excellent topic on troubleshooting alert scripts on the Splunk Community Wiki and see "Configure scripted alerts" in the Admin Manual.
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the runshellscript command.
About CLI searches
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7