Did everything step by step as in your instruction, people on the other side (3rd party app), who are waiting for script results, said it didn't trigger.
For clarification: script is not mine, but I have to run it with arguments. It works when I run it from Command line like this: php my_script.php "test1 | test2 | test3 | test4"

Check splunkd logs:

index=_internal earliest=-24h action=my_script

Here is the result. Same error every alert
02-20-2020 16:38:04.787 +0600 ERROR sendmodalert - action=Splunk_integration - Failed to find alert.execute.cmd "/path/to/php".

You need to provide path to /path/to/php for alert.execute.cmd.

Set alert.execute.cmd = php

Tried with adding full path to alert.execute.cmd = /opt/splunk/etc/apps/myapp/bin/script.php
And just adding as you said alert.execute.cmd = php

No use, same Errors
pls check the pic

is script path is /opt/splunk/etc/apps/myapp/bin/script.php OR /opt/splunk/etc/apps/alert_action/bin/my_script.php?

Make sure this script is executable.
chmod +x /opt/splunk/etc/apps/alert_action/bin/my_script.php

And also add file default.metadata in /metadata/ with below content.

[]
access = read : [ * ], write : [ admin ]
export = system

/opt/splunk/etc/apps/alert_action/bin/my_script.php - my script path looks like this.
Script is executable. I've added to metadata. Still the same Error.

Wait absolute paths are not supported for alert.execute.cmd.
Step 1. Create php.path in /opt/splunk/etc/apps/alert_action/bin/ with below content:

/usr/bin/php

Step 2. Make .path file executable:
chmod +x /opt/splunk/etc/apps/alert_action/bin/php.path

Step 3. Set alert.execute.cmd = php.path in alert_actions.conf.

Cool, I've got events which show success results. Now I'm waiting for a response from Devs.

One more thing, the script will be executed in like this with four separate parameters.

/usr/bin/php /opt/splunk/etc/apps/alert_action/bin/my_script.php date field1 field 2 _raw

If the parameter is this: "test1 | test2 | test3 | test4", then make below changes in alert_actions.conf:

[my_script]
 is_custom = 1
 label = My Alert Action
 disabled = 0
 alert.execute.cmd = php.path
 alert.execute.cmd.arg.0 =  /opt/splunk/etc/apps/alert_action/bin/my_script.php
 alert.execute.cmd.arg.1 = $trigger_date$ | $result.field1$ | $result.field2$ | $result._raw$

Thanks, script is working, but data being send is incorrect. Instead of sending Token values it sends Token text string.
3rd party is receiving it as text: $trigger_date$ $result.field1$ $result.field2$ $result._raw$.
Please see pic below and don't get your attention on 2 trigger.dates, it's my mistake 🙂

My apologies, alert.execute.cmd.arg only supports text.

Custom alert action works best with python script. Let's try this with that. Create a python script /opt/splunk/etc/apps/alert_action/bin/my_script.py as a wrapper to my_script.php with below content and update alert_actions.conf.

#!/usr/bin/python
import sys
import subprocess
import json
if __name__ == "__main__":
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
        sys.exit(1)
    settings = json.loads(sys.stdin.read())
    config = settings['configuration']
    inputs = "%s | %s | %s | %s" % (config.get('trigger_date'), config.get('status'), config.get('uri_path'), config.get('raw'))
    command = "%s %s %s" % ("/usr/bin/php", "/opt/splunk/etc/apps/alert_action/bin/my_script.php", inputs)
    try:
        p = subprocess.Popen(command, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
        out, error = p.communicate()
        if error:
            print(error)
        if out:
            print(out)
    except Exception, e:
        print >> sys.stderr, "ERROR Unexpected error: %s" % e
        sys.exit(1)

Update alert_actions.conf with below content. You don't need to provide script name as stanza name matches with script name: my_script.py in app /opt/splunk/etc/apps/alert_action/bin/.

[my_script]
is_custom = 1
label = My Alert Action
payload_format = json
param.trigger_date = $trigger_date$
param.status = $result.status$
param.uri_path = $result.uri_path$
param.raw = $result._raw$

I tested this on my dev stack.

Hello manjunathmeti! I've created a python script with your code. Updated alert_actions.conf as you said but now I'm getting this Warn below. I guess it can't find a script to execute. May be I forgot to add a line in alert_action.conf?

02-24-2020 10:37:06.409 +0600 WARN sendmodalert - action=Splunk_integration - Unable to find alert action script for action="Splunk_integration" in app="alert_action_php"

Below is my_script.py and alert_action.conf

hi @damiko

In alert_actions.conf stanza name must be "my_script". Change stanza name Splunk_integration to my_script.

And also remove 1 space from beginning of each line (starting from line 2) in the python script. This is to avoid python indentation errors.

Not working they say, well I get the message in the search

02-24-2020 12:11:10.666 +0600 INFO sendmodalert - Invoking modular alert action=Splunk_integration for search="Damir_php_test" sid="scheduler_admin_YWxlcnRfYWN0aW9uX3BocA_RMD5f6cda7d30fd7e0b1_at_1582524660_62268" in app="alert_action_php" owner="admin" type="saved"

Which means that alert executed correctly, right?
What might be the issue then?

You should see one more log like below:

INFO sendmodalert - action= Splunk_integration - Alert action script completed in duration=XXX ms with exit code=0

Also make sure your search Damir_php_test contains the fileds: status, uri_path and _raw

Ok, they gave me an access to their portal.
It's receiving data!, but only trigger_date.

Does search Damir_php_test contains these fields: status, uri_path and _raw?

If yes then append | table status, uri_path, _raw to the search query and check.

Yes it does. My search initially had this query with | table status, uri_path, _raw

Please check below

P.S.
Still getting only trigger_date