Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Alerting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to resolve error: sendtophantom: Alert action ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to resolve error: sendtophantom: Alert action script returned error code=1?
freddy_Guo
Path Finder
11-03-2022
03:16 PM
Hi,
We have recently switched from Phantom to SOAR and I'm trying to send our triggered alerts to SOAR.
I have tested that from Splunk Enterprise to SOAR connect and it works.
But I keep getting the following error for one alert
11-04-2022 05:31:21.724 +1100 WARN sendmodalert [17285 AlertNotifierWorker-0] - action=sendtophantom - Alert action script returned error code=1
11-04-2022 05:31:21.724 +1100 INFO sendmodalert [17285 AlertNotifierWorker-0] - action=sendtophantom - Alert action script completed in duration=1394 ms with exit code=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkoptimus
Path Finder
03-01-2023
05:02 PM
I'm also having the same error. How did you fix it?
03-01-2023 15:00:20.084 +0000 WARN sendmodalert [36371 AlertNotifierWorker-0] - action=aws_sns_modular_alert - Alert action script returned error code=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
freddy_Guo
Path Finder
03-08-2023
03:03 PM
Did you make it work? What was your issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
freddy_Guo
Path Finder
03-01-2023
06:38 PM
Hi @splunkoptimus,
Our issue was caused by a missing label. So we have label "threat" configured in Phantom but not in SOAR. So SOAR was throwing error due to no matching label found.
Hopefully that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkoptimus
Path Finder
03-08-2023
10:35 PM
No, there were special characters in my lookup which caused the email alert_action python script to break. Once I removed the special characters email were sent out.
Get Updates on the Splunk Community!
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
