doesn't seem to really answer the question. I'm debugging someone's custom alert, and I don't want to change his code yet. So where are stderr stored, maybe it IS lost?

you can do the logging they mention in an alert script. Is your script in $SplunkHome$/bin/scripts ?

Appears Splunk will find a triggered alert script in $SPLUNK_HOME/bin/scripts.
But if the script contains >> directs to a file (like for debugging), that file is written to $SPLUNK_HOME/etc/apps/search/bin (assuming the alert was written in search app).
Does that sound right, or expected?

thank you. is there a posting that covers the case of alert scruipts? not seeing that mentioned in this posting (or am I missing something)?