Download topic as PDF
runshellscript
Description
For Splunk Enterprise deployments, executes scripted alerts. This command is not supported as a search command.
Syntax
runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <results_file>
Usage
The script file needs to be located in either $SPLUNK_HOME/etc/system/bin/scripts OR $SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The following table describes the arguments passed to the script. These arguments are not validated.
| Argument | Description |
|---|---|
| $0 | The filename of the script. |
| $1 | The result count, or number of events returned. |
| $2 | The search terms. |
| $3 | The fully qualified query string. |
| $4 | The name of the saved search in Splunk. |
| $5 | The description or trigger reason. For example, "The number of events was greater than 1." |
| $6 | The link to saved search results. |
| $7 | DEPRECATED - empty string argument. |
| $8 | The path to the results file, results.csv. The results file contains raw results.
|
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the runshellscript command.
|
PREVIOUS noop |
NEXT sendalert |
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.2.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.1.3
"$0 = The filename of the script." Is not actually passed to the script. E.g. in perl, $ARGV[0] is the result count .. $ARGV[7] is the results file. In bash, $0 is the currently executing script name, so the indices shown here are correct.