Hi @kumar28, If you are using "Run a script" (alert action) then this feature has been deprecated since Splunk 6.3 and splunk introduced new feature Custom Alert Action but "Run a script" (alert action) is still working. If you want to fetch parameter for "alert action" then please refer http://docs.splunk.com/Documentation/Splunk/7.0.1/Alert/Configuringscriptedalerts Based on the documentation $SPLUNK_ARG_8 gives you filename with full path in which query result will be stored, it will be compressed (.gz) CSV file. Once you have this file you can zcat command in linux to read content from compressed CSV file and you can implement your logic to read every row and required column value from that file. If you are trying to implement "Custom Alert Action" then you can use read payload in your script to fetch payload value and from that payload you will able to find results_file parameter which gives you filename with full path in which query result will be stored, it will be compressed (.gz) CSV file and then you can perform same logic which I explained above in "alert script". I hope this helps. Thanks, Harshil ... View more

@kumar28, The run a script alert action is officially deprecated but it still works in most of the recent versions. This should help you to start with : https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Alert/Configuringscriptedalerts Ideally you have to process the gzip file and get your data. Alternatively as suggested by splunk, you could use http://docs.splunk.com/Documentation/Splunk/6.6.1/AdvancedDev/CustomAlertConvertScripted#Scripted_alert_action ... View more