topic Re: Splunk 8.0 sendemail/subsearch issues after upgrading in Splunk Search

Splunk 8.0 sendemail/subsearch issues after upgrading

aallred — Thu, 24 Oct 2019 15:07:58 GMT

Recently upgraded from 7.2.3 to 8.0 and a previously configured scheduled alert is not longer sending emails correctly. The search pulls from a lookup table that contains vulnerability scan data containing four fields: Hostname, Vulnerability, Priority, and Responsibility. What I'm trying to accomplish and what has been working up until the upgrade was that a map search would iterate over the hostnames, group all vulnerabilities for that host into a table, and send that as a separate email per host. So in this example, the subsearch would find up to 25 hosts and send 25 separate emails to an email address.

| inputlookup vulnreporthostlookup.csv | stats values(Vulnerability) AS Vulnerability by Hostname | map maxsearches=25 search="|inputlookup vulnreporthostlookup.csv | search Hostname=\"$Hostname$\"| table Hostname, Vulnerability, Priority, Responsibility | sendemail to=username@domain.com from=splunkalert@domain.com subject=\"Scan result data for $result.Responsibility$ : $Hostname$\" message="" sendresults=true inline=true sendcsv=true"

The error in python.log probably as something to do with it. It complains about authorization to run the subsearch I guess? I've checked and reapplied capabilities to my account and I'm a full admin.

2019-10-24 10:56:41,391 -0400 ERROR sendemail:1422 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/username/default_app/search/jobs/subsearch_1571928983.1146_1571929000.25?output_mode=json

I understand that this could be a two-fold problem, one is that my syntax is not optimized for the job at hand and the other being something that broke permissions on upgrade. Does anyone have any thoughts? Need help.

Re: Splunk 8.0 sendemail/subsearch issues after upgrading

ChrisG — Fri, 25 Oct 2019 15:12:45 GMT

Have you opened a support case for this? If there is an actual defect in 8.0 that is causing this issue, they can file it with the engineering team.

Re: Splunk 8.0 sendemail/subsearch issues after upgrading

djluke — Mon, 06 Apr 2020 10:13:06 GMT

Hi,
did you solve the problem?

Re: Splunk 8.0 sendemail/subsearch issues after upgrading

rickferrante — Fri, 24 Apr 2020 18:14:07 GMT

The subquery doesn't seem to have the session context.

"| sendemail [options] " called from parent search works fine.

"| sendemail [options]" in map command subquery returns:

ERROR sendemail:1435 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/auditadmin/auditreports/search/jobs/subsearch_1587751603.162_1587751603.7?output_mode=json
Traceback (most recent call last):
File "/export/appl/ela/apps/splunk/etc/apps/search/bin/sendemail.py", line 1428

Re: Splunk 8.0 sendemail/subsearch issues after upgrading

fk319 — Wed, 15 Jul 2020 20:25:20 GMT

I had this issue when running 8.0.3. I just upgraded to 8.0.5 and it works as expected.

Re: Splunk 8.0 sendemail/subsearch issues after upgrading

impurush — Mon, 02 Nov 2020 15:16:19 GMT

Hi @aallred, Did you got a chance to solve the problem, or do you have any workaround for your scenarios.
I am also facing the same problem right now. The same alert use to work in the 7.2.1 version and it is not working after I upgrade to 8.0.1.

Re: Splunk 8.0 sendemail/subsearch issues after upgrading

wangjianiu — Fri, 30 Apr 2021 04:16:48 GMT

and you got a fix for this? i am getting the same issue