Hi, The alert action script receives the configuration and results from the stdin in json format.. example: { "app" : "search" , "owner" : "admin" , "results_file" : "heregoesthecreditcardnumber" , "results_link" : "heregoesthecreditcardnumber" , "search_uri" : "/servicesNS/nobody/search/saved/searches/testalert" , "server_host" : "art-mb-2.local" , "server_uri" : "heregoesthecreditcardnumber" , "session_key" : "heregoesthecreditcardnumber" , "sid" : "scheduler__admin__search__testalert_at_1569508320_128" , "search_name" : "testalert" , "configuration" : { "email" : "andreas at batchworks.de" , "company" : "batchworks" , "severity" : "WARNING" }, "result" : { "sourcetype" : "splunkd" , "count" : "80" } } in "result" there are your search results.. read this in python like: result = sys.stdin.read() settings = json.loads(result)regards, Andreas
... View more