Getting Data In

Using Linux,where are Splunk arguments ($0 to $8) located?

Path Finder

I need to pass a variable to run a shellscript..Where do the below Splunk arguments located or i what directory or conf file they can be modified?I'm using Linux. Please advise.

0 = Script name
• 1 = Number of events returned
• 2 = Search terms
• 3 = Fully qualified query string
• 4 = Name of saved search
• 5 = Trigger reason (i.e. "The number of events was greater than 1")
• 6 = Browser URL to view the saved search
• 7 = This option has been deprecated and is no longer used
• 8 = File where the results for this search are stored (contains raw results)

Tags (2)
0 Karma


They are the positional parameters as passed to the script. You will refer to them within the script as $0..$8. What you do with them within the script is up to you.

It sounds like you are a shell scripting novice, in which case you would do better to go do some basic research on shell scripting.

A quick search for "simple shell scripting" "linux" returns a flood of results, but you could do worse than start with


Not sure what you mean by where they're "located"? They're passed on as arguments to shell scripts you run as alert actions. It's not configurable, this is the arguments you always will get.

Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...