Documentation of sendalert's payload

New Member


I'm in need of clarification regarding custom alert actions and, in particular, the payload generated by the sendalert command. Sadly, I was unable to find these points adressed in the documentation of custom actions, alert_actions.conf and savedsearches.conf or here at answers.splunk.

  1. While reviewing the payload send to my script when the alert is triggered (or alternatively the sendalert command is used), I noticed that the payload always has at least the fields results_link, app, sid, search_name, result, results_file, server_uri, owner, server_host. Is this correct?
  2. Am I correct that the result always (with one qualification, see next question) includes the first result of a search and that the full results can be found in the file given in results_file?
  3. Is it correct, that the my custom script is invoked each time the search finds a result which has different fields than the preceding result (so that the results_file always has a fixed schema)?

Since the alert app I'm working on is kinda critical I would be grateful for reliable statements regarding these points.


0 Karma
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...