Documentation of sendalert's payload

New Member


I'm in need of clarification regarding custom alert actions and, in particular, the payload generated by the sendalert command. Sadly, I was unable to find these points adressed in the documentation of custom actions, alert_actions.conf and savedsearches.conf or here at answers.splunk.

  1. While reviewing the payload send to my script when the alert is triggered (or alternatively the sendalert command is used), I noticed that the payload always has at least the fields results_link, app, sid, search_name, result, results_file, server_uri, owner, server_host. Is this correct?
  2. Am I correct that the result always (with one qualification, see next question) includes the first result of a search and that the full results can be found in the file given in results_file?
  3. Is it correct, that the my custom script is invoked each time the search finds a result which has different fields than the preceding result (so that the results_file always has a fixed schema)?

Since the alert app I'm working on is kinda critical I would be grateful for reliable statements regarding these points.


0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!