I'm stuck. I can't get a simple alert against the source=WinEventLog:Security to send me a CSV file. This is on Splunk Enterprise v 6.3
The search that I am trying to do is simple
source=WinEventLog:Security | stats count by host
For this test, I have it set up to run as a cron every 5 minutes, with the checkbox set to create a CSV and email it to myself. It runs as expected. I can view the results in the *Triggered Alerts * and see that it creates 124 lines that look like
host count XX-APP01 31 XX-APP02 25 etc
However, no CSV is emailed to me.
Looking in python.log, sendemail does not generate an error message
When I change it to send a PDF via email, or show the results in-line via email, the email arrives within 10 seconds of the job running, with the 124 lines displayed. Based on this, I don't believe it is an email issue.
Can't figure out why a simple CSV will not be generated and emailed. What (or where) should I look next? Is there some Splunk config switch that I need to turn on (or off)?