runshellscript command is an internal, unsupported, experimental command. See
About internal commands
For Splunk Enterprise deployments, executes scripted alerts. This command is not supported as a search command.
runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <results_file>
The script file needs to be located in either
$SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The following table describes the arguments passed to the script. These arguments are not validated.
|$0||The filename of the script.|
|$1||The result count, or number of events returned.|
|$2||The search terms.|
|$3||The fully qualified query string.|
|$4||The name of the saved search in Splunk.|
|$5||The description or trigger reason. For example, "The number of events was greater than 1."|
|$6||The link to saved search results.|
|$7||DEPRECATED - empty string argument.|
|$8||The path to the results file, |
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the runshellscript command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.0.8, 7.0.11, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 8.0.0