Splunk Cloud Platform

Search Reference

runshellscript

The runshellscript command is an internal, unsupported, experimental command. See About internal commands.

Description

For Splunk Enterprise deployments, executes scripted alerts. This command is not supported as a search command.

This command is considered risky because, if used incorrectly, it can pose a security risk or potentially lose data when it runs. As a result, this command triggers SPL safeguards. See SPL safeguards for risky commands in Securing the Splunk Platform.

Syntax

runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <results_file> <search-ID> <results-file-path-deprecated-arg>

Usage

The script file needs to be located in either $SPLUNK_HOME/etc/system/bin/scripts OR $SPLUNK_HOME/etc/apps/<app-name>/bin/scripts. The following table describes the arguments passed to the script.

Argument Description
$0 The filename of the script.
$1 The result count, or number of events returned.
$2 The search terms.
$3 The fully qualified search string.
$4 The name of the saved search.
$5 The description or trigger reason. For example, "The number of events was greater than 1."
$6 The link to saved search results.
$7 DEPRECATED - empty string argument.
$8 The search ID.

The runshellscript command validates the $8 search ID argument on

  • Whether the provided search ID exists.
  • Whether you have permission to access the provided search ID.

See also

script

Last modified on 14 April, 2023
redistribute   About searches in the CLI

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406 (latest FedRAMP release), 9.0.2205, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters