Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error Code=3

mbarbaro
Path Finder
‎06-26-2017 06:38 AM

06-26-2017 15:30:54.878 +0200 WARN sendmodalert - action=sendmail_action - Alert action script returned error code=3

Hello, someone know what mens error code 3 ???

Thanks in advance

Reply

woodcock
Esteemed Legend
‎05-30-2024 07:16 AM

This just means that the script being called did not run to completion.
I recently had a confusing problem that caused this exact error.
I had a working design where I had a sendalert named "my_send_alert" which called a python script named "my_send_alert.py" which then called a shell script named "my_send_alert_alt.sh".  It all worked great.  So I cloned it to create a different one and it didn't work, giving this error.  The problem ended up being that I named the shell script the same name as the python script and splunk was SKIPPING calling the python script and was calling the shell script directly!  I simply changed the name of the shell script and all was well.  So in summary: All 3 named the same does not work.

This DOES NOT work:

my_send_alert(alert_actions.conf) -> my_send_alert.py -> my_send_alert.sh


This DOES work:

my_send_alert(alert_actions.conf) -> my_send_alert.py -> my_send_alert_alt.sh


This should also work:

my_send_alert(alert_actions.conf) -> my_send_alert.sh
0 Karma
Reply

spy_jr
Explorer
‎02-20-2025 05:41 AM

Hello @woodcock 
A question, in your post I see that you talk about some scripts, I wanted to know if those allow you to stop the error=3 when you run a search and it doesn't return any results
Currently I need to run correlations search with the command at the end "... | sendalert risk ... "
But when there are no results it throws that error and the whole correlation search is truncated, and for that reason I wanted to know if there is a way to abort the sendalert risk when there are no results 

0 Karma
Reply

japger_splunk
Splunk Employee
Splunk Employee
‎03-23-2018 11:29 AM

If this issue was resolved, what was the fix? Permissions? Thanks.

0 Karma
Reply

Statixs
Engager
‎11-15-2017 02:10 AM

Hi Mbarbaro,

I have had the same error for my own technical addon and by looking at the source code of the alerts script, error code 3 seems related to input parameters not being correctly parsed or value None (null), resulting in the alert script to quit.

If you are trying to add search results to the email message, use the $result.$ to add that specific field value. For example, if you want to add the value of the field user from your search results, this would be accomplished with $result.user$

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎06-26-2017 07:37 PM

Could you provide the exact Splunk version you are working with?

And is that the exact string returned?

I'd suggest perhaps narrowing down the issue by creating a new alert with a little selected as possible. Then add one thing at a time to it and see when it fails.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...