Yeah this works when I'm running it from cmd line.

Any method to troubleshoot my alert?

Replace content of python script with below code and check. Now this code directly reads results file.

#!/usr/bin/python
import sys
import subprocess
import json
import csv
import gzip
if __name__ == "__main__":
    rows = []
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
        sys.exit(1)
    settings = json.loads(sys.stdin.read())
    config = settings['configuration']
    results_file = settings['results_file']
    trigger_date = config.get('trigger_date')
    try:
        with gzip.open(results_file.rstrip('\r\n'), 'rb') as rfile:
            reader = csv.DictReader(rfile, lineterminator="\n")
            for row in reader:
                rows.append({str(k): v for k, v in row.items() if not k.startswith("__mv_")})
    except Exception as e:
        print("Reading %s failed. Error: %s" % (results_file, e))
        sys.exit(2)
    for row in rows:
        inputs = "%s | %s | %s | %s" % (trigger_date, row['status'], row['uri_path'], row['_raw'])
        command = "%s %s %s" % ("/usr/bin/php", "/opt/splunk/etc/apps/alert_action/bin/my_script.php", inputs)
        try:
            p = subprocess.Popen(command, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
            out, error = p.communicate()
            if error:
                print(error)
            if out:
                print(out)
        except Exception, e:
            print ("ERROR Unexpected error: %s" % e)
            sys.exit(3)

changed code in my_script.py. However still blank fields.
from _internal: 02-24-2020 16:23:30.752 +0600 INFO sendmodalert - action=my_script - Alert action script completed in duration=7905 ms with exit code=0

I am getting this command splunk logs. Looks like input parameter to php script should be in quotes. Check if below command works.

/usr/bin/php /opt/splunk/etc/apps/alert_action/bin/my_script.php '2020-02-24 | 200 | /servicesNS/nobody/splunk_app_for_nix/saved/searches/fired_alerts/notify | 127.0.0.1 - splunk-system-user [24/Feb/2020:10:40:05.115 +0000] "POST /servicesNS/nobody/splunk_app_for_nix/saved/searches/fired_alerts/notify?trigger.condition_state=1 HTTP/1.1" 200 1981 - - - 5ms'

If this works, use below code and check:

#!/usr/bin/python
import sys
import subprocess
import json
import csv
import gzip
if __name__ == "__main__":
    rows = []
    if len(sys.argv) < 2 or sys.argv[1] != "--execute":
        print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
        sys.exit(1)
    settings = json.loads(sys.stdin.read())
    config = settings['configuration']
    results_file = settings['results_file']
    trigger_date = config.get('trigger_date')
    try:
        with gzip.open(results_file.rstrip('\r\n'), 'rb') as rfile:
            reader = csv.DictReader(rfile, lineterminator="\n")
            for row in reader:
                rows.append({str(k): v for k, v in row.items() if not k.startswith("__mv_")})
    except Exception as e:
        print("Reading %s failed. Error: %s" % (results_file, e))
        sys.exit(2)
    for row in rows:
        inputs = "'%s | %s | %s | %s'" % (trigger_date, row['status'], row['uri_path'], row['_raw'])
        command = "%s %s %s" % ("/usr/bin/php", "/opt/splunk/etc/apps/alert_action/bin/my_script.php", inputs)
        try:
            p = subprocess.Popen(command, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
            out, error = p.communicate()
            if error:
                print(error)
            if out:
                print(out)
        except Exception, e:
            print ("ERROR Unexpected error: %s" % e)
            sys.exit(3)

Nevermind, I've deleted spaces on each row. Now it's WORKING! Great! Thank you @manjunathmeti
What changes I could make in your python code to add more fields?

That's great! You can update variable inputs in the code:

inputs = "'%s | %s | %s | %s | %s | %s | %s'" % (trigger_date, row['status'], row['uri_path'], row['_raw'], row['MORE_FIELD_1'], row['MORE_FIELD_2'], row['MORE_FIELD_3'])

And add MORE_FIELD_1, MORE_FIELD_2 and MORE_FIELD_3 in search.

Hey, @manjunathmeti ! I've got a problem, can't add new fields to script. Below is changes I made in your code and Errors I'm getting in _internal

for row in rows:
        inputs = "'%s | %s | %s | %s | %s | %s | %s'" % (trigger_date, row['status'], row['uri_path'], row['_raw'], row['description'], row['ftime'], row['service'])
        command = "%s %s %s" % ("/usr/bin/php", "/opt/splunk/etc/apps/alert_action_php/bin/my_script.php", inputs)

There is a KeyError: 'description'. It means description field is not there in your search results. Make sure all the fields you are adding are there in search results.

No worries, I forgot to add params in alert_action.conf. It's working now

It's in my search query. I've added them in |table command. Mb I need to add them in alert_action.conf? result.description and etc

Ok, thanks, will try later!

Now I'm receiving this WARN
please check the image

There is an indentation error in the script. Copy python code as it is and remove first space from each line.

Thank you manjunathmeti. The environment where I was testing it is blocked on weekend, I'll try your python method on Monday. Have a good weekend 🙂

Hey, thank you. I didn't finish setting yet, wanted to ask you: Where do I put savedsearches.conf?
Or should I change current savedsearches.conf?

You should change existing savedsearches.conf.