https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/633820#M14864 <P>Did you make it work? What was your issue?</P> Wed, 08 Mar 2023 23:03:32 GMT freddy_Guo 2023-03-08T23:03:32Z https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/619559#M14484 <P>Hi,&nbsp;</P> <P>We have recently switched from Phantom to SOAR and I'm trying to send our triggered alerts to SOAR.&nbsp;</P> <P>I have tested that from Splunk Enterprise to SOAR connect and it works.</P> <P>But I keep getting the following error for one alert</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">11-04-2022 05:31:21.724 +1100 WARN sendmodalert [17285 AlertNotifierWorker-0] - action=sendtophantom - Alert action script returned error code=1 11-04-2022 05:31:21.724 +1100 INFO sendmodalert [17285 AlertNotifierWorker-0] - action=sendtophantom - Alert action script completed in duration=1394 ms with exit code=1</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 02 Mar 2023 15:07:13 GMT https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/619559#M14484 freddy_Guo 2023-03-02T15:07:13Z https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/632891#M14833 <P>I'm also having the same error. How did you fix it?<BR /><BR /></P><DIV class=""><DIV class=""><STRONG><EM><SPAN class=""><SPAN class="">03-01</SPAN>-2023</SPAN> <SPAN class="">15:00:20.084</SPAN> +<SPAN class="">0000</SPAN> <SPAN class="">WARN</SPAN> <SPAN class="">sendmodalert</SPAN> [<SPAN class="">36371</SPAN> <SPAN class="">AlertNotifierWorker-0</SPAN>] <SPAN class="">-</SPAN> <SPAN class="">action=aws_sns_modular_alert</SPAN> <SPAN class="">-</SPAN> <SPAN class="">Alert</SPAN> <SPAN class="">action</SPAN> <SPAN class="">script</SPAN> <SPAN class="">returned</SPAN> <SPAN class="">error</SPAN> <SPAN class="">code=1</SPAN></EM></STRONG></DIV></DIV> Thu, 02 Mar 2023 01:02:18 GMT https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/632891#M14833 splunkoptimus 2023-03-02T01:02:18Z https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/632897#M14835 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244852">@splunkoptimus</a>,</P><P>&nbsp;</P><P>Our issue was caused by a missing label. So we have label "threat" configured in Phantom but not in SOAR. So SOAR was throwing error due to no matching label found.&nbsp;</P><P>Hopefully that helps.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 02 Mar 2023 02:38:01 GMT https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/632897#M14835 freddy_Guo 2023-03-02T02:38:01Z https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/633820#M14864 <P>Did you make it work? What was your issue?</P> Wed, 08 Mar 2023 23:03:32 GMT https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/633820#M14864 freddy_Guo 2023-03-08T23:03:32Z https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/633835#M14865 <P>No, there were special characters in my lookup which caused the email alert_action python script to break. Once I removed the special characters email were sent out.&nbsp;</P> Thu, 09 Mar 2023 06:35:31 GMT https://community.splunk.com/t5/Alerting/How-to-resolve-error-sendtophantom-Alert-action-script-returned/m-p/633835#M14865 splunkoptimus 2023-03-09T06:35:31Z