Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Alerting
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: sendtophantom: Alert action script returned er...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to resolve error: sendtophantom: Alert action script returned error code=1?
freddy_Guo
Path Finder
11-03-2022
03:16 PM
Hi,
We have recently switched from Phantom to SOAR and I'm trying to send our triggered alerts to SOAR.
I have tested that from Splunk Enterprise to SOAR connect and it works.
But I keep getting the following error for one alert
11-04-2022 05:31:21.724 +1100 WARN sendmodalert [17285 AlertNotifierWorker-0] - action=sendtophantom - Alert action script returned error code=1
11-04-2022 05:31:21.724 +1100 INFO sendmodalert [17285 AlertNotifierWorker-0] - action=sendtophantom - Alert action script completed in duration=1394 ms with exit code=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkoptimus
Path Finder
03-01-2023
05:02 PM
I'm also having the same error. How did you fix it?
03-01-2023 15:00:20.084 +0000 WARN sendmodalert [36371 AlertNotifierWorker-0] - action=aws_sns_modular_alert - Alert action script returned error code=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
freddy_Guo
Path Finder
03-08-2023
03:03 PM
Did you make it work? What was your issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
freddy_Guo
Path Finder
03-01-2023
06:38 PM
Hi @splunkoptimus,
Our issue was caused by a missing label. So we have label "threat" configured in Phantom but not in SOAR. So SOAR was throwing error due to no matching label found.
Hopefully that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkoptimus
Path Finder
03-08-2023
10:35 PM
No, there were special characters in my lookup which caused the email alert_action python script to break. Once I removed the special characters email were sent out.
Get Updates on the Splunk Community!
Splunk MCP & Agentic AI: Machine Data Without Limits
Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...
Finding Based Detections General Availability
Overview
We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...
Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience
Hands-On Learning and Technical Seminars
Sometimes, you just need to see the code. For those looking for a ...
