Afternoon all,
I've upgraded splunk to version 6.1.3 recently and encountered an error in a scheduled saved search. The search, for an unknown reason, failed to identify the recipients listed in the configuration and splunkd.log showed the error like this:
09-29-2014 15:30:18.287 +0700 ERROR ScriptRunner - stderr from '/apps/splunk/bin/python /apps/splunk/etc/apps/TselITSECOpSecEvents/bin/sendemail.py "results_link=https://10.35.105.25:8000/app/TselITSECOpSecEvents/@go?sid=scheduler__admin__TselITSECOpSecEvents__RMD5dba399bcecc9591e_at_1411979400_324" "ssname=tsel_itsecevent_unusual_access_to_resource_non_privilage_user" "graceful=True" "trigger_time=1411979418" results_file="/apps/splunk/var/run/splunk/dispatch/scheduler__admin__TselITSECOpSecEvents__RMD5dba399bcecc9591e_at_1411979400_324/results.csv.gz"': ERROR:root:missing required argument: to. Please specify at least on email recipient as: "to=address@example.com"
I've inspected the job and I found all recipients. Unfortunately, splunk keep delivering the same error message. Can someone enlighten me about this case?
Thanks in advance
Hello Vincenteous,
This is happening because of your old sendemail.py file. If you have managed to customize it you may not be able to use it with savedsearch. There are two options.
Thanks,
L
Thanks to L. I've replaced the old sendemail.py with the one from splunk 6.1.3 version. As for preemptive measure, I've also replaced the old sendemail_handler.py.
Hello Vincenteous,
This is happening because of your old sendemail.py file. If you have managed to customize it you may not be able to use it with savedsearch. There are two options.
Thanks,
L
Thank you very much, L. I've suspected that sendemail.py would be the primary cause before, but I wasn't sure enough to execute it. I used method no. 2 in the end.
Great catch, thanks for sharing!