I'm in need of clarification regarding custom alert actions and, in particular, the payload generated by the sendalert command. Sadly, I was unable to find these points adressed in the documentation of custom actions, alert_actions.conf and savedsearches.conf or here at answers.splunk.
- While reviewing the payload send to my script when the alert is triggered (or alternatively the sendalert command is used), I noticed that the payload always has at least the fields results_link, app, sid, search_name, result, results_file, server_uri, owner, server_host. Is this correct?
- Am I correct that the result always (with one qualification, see next question) includes the first result of a search and that the full results can be found in the file given in results_file?
- Is it correct, that the my custom script is invoked each time the search finds a result which has different fields than the preceding result (so that the results_file always has a fixed schema)?
Since the alert app I'm working on is kinda critical I would be grateful for reliable statements regarding these points.