Documentation of sendalert's payload

New Member


I'm in need of clarification regarding custom alert actions and, in particular, the payload generated by the sendalert command. Sadly, I was unable to find these points adressed in the documentation of custom actions, alert_actions.conf and savedsearches.conf or here at answers.splunk.

  1. While reviewing the payload send to my script when the alert is triggered (or alternatively the sendalert command is used), I noticed that the payload always has at least the fields results_link, app, sid, search_name, result, results_file, server_uri, owner, server_host. Is this correct?
  2. Am I correct that the result always (with one qualification, see next question) includes the first result of a search and that the full results can be found in the file given in results_file?
  3. Is it correct, that the my custom script is invoked each time the search finds a result which has different fields than the preceding result (so that the results_file always has a fixed schema)?

Since the alert app I'm working on is kinda critical I would be grateful for reliable statements regarding these points.


0 Karma
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...