runshellscript command is an internal, unsupported, experimental command. See
About internal commands.
For Splunk Enterprise deployments, executes scripted alerts. This command is not supported as a search command.
This command is considered risky because, if used incorrectly, it can pose a security risk or potentially lose data when it runs. As a result, this command triggers SPL safeguards. See SPL safeguards for risky commands in Securing the Splunk Platform.
runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <results_file> <search-ID> <results-file-path>
The script file needs to be located in either
$SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The following table describes the arguments passed to the script. These arguments are not validated.
|$0||The filename of the script.|
|$1||The result count, or number of events returned.|
|$2||The search terms.|
|$3||The fully qualified search string.|
|$4||The name of the saved search.|
|$5||The description or trigger reason. For example, "The number of events was greater than 1."|
|$6||The link to saved search results.|
|$7||DEPRECATED - empty string argument.|
|$8||The path to the results file, |
About searches in the CLI
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10
Feedback submitted, thanks!