Using Linux,where are Splunk arguments ($0 to $8) ...

Isaias_Garcia · ‎11-11-2013

I need to pass a variable to run a shellscript..Where do the below Splunk arguments located or i what directory or conf file they can be modified?I'm using Linux. Please advise.

0 = Script name
• 1 = Number of events returned
• 2 = Search terms
• 3 = Fully qualified query string
• 4 = Name of saved search
• 5 = Trigger reason (i.e. "The number of events was greater than 1")
• 6 = Browser URL to view the saved search
• 7 = This option has been deprecated and is no longer used
• 8 = File where the results for this search are stored (contains raw results)

grijhwani · ‎11-12-2013

They are the positional parameters as passed to the script. You will refer to them within the script as $0..$8. What you do with them within the script is up to you.

It sounds like you are a shell scripting novice, in which case you would do better to go do some basic research on shell scripting.

A quick search for "simple shell scripting" "linux" returns a flood of results, but you could do worse than start with

Ayn · ‎11-12-2013

Not sure what you mean by where they're "located"? They're passed on as arguments to shell scripts you run as alert actions. It's not configurable, this is the arguments you always will get.

Using Linux,where are Splunk arguments ($0 to $8) located?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation