Splunk Cloud Platform

Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

runshellscript

The runshellscript command is an internal, unsupported, experimental command. See About internal commands.

Description

For Splunk Enterprise deployments, executes scripted alerts. This command is not supported as a search command.

Syntax

runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <results_file> <search-ID> <results-file-path-deprecated-arg>

Usage

The script file needs to be located in either $SPLUNK_HOME/etc/system/bin/scripts OR $SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The following table describes the arguments passed to the script.

Argument Description
$0 The filename of the script.
$1 The result count, or number of events returned.
$2 The search terms.
$3 The fully qualified search string.
$4 The name of the saved search.
$5 The description or trigger reason. For example, "The number of events was greater than 1."
$6 The link to saved search results.
$7 DEPRECATED - empty string argument.
$8 The search ID.

The runshellscript command validates the $8 search ID argument on

  • Whether the provided search ID exists.
  • Whether you have permission to access the provided search ID.

See also

script

Last modified on 11 June, 2021
PREVIOUS
prjob
  NEXT
sendalert

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107, 8.2.2109


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters