Alerting

Why is my scheduled Alert not emailing me a CSV file?

randymoore
Explorer

Hello,

I'm stuck. I can't get a simple alert against the source=WinEventLog:Security to send me a CSV file. This is on Splunk Enterprise v 6.3

The search that I am trying to do is simple

source=WinEventLog:Security | stats count by host

For this test, I have it set up to run as a cron every 5 minutes, with the checkbox set to create a CSV and email it to myself. It runs as expected. I can view the results in the *Triggered Alerts * and see that it creates 124 lines that look like

    host          count
    XX-APP01       31
    XX-APP02       25
    etc

However, no CSV is emailed to me.

Looking in python.log, sendemail does not generate an error message

When I change it to send a PDF via email, or show the results in-line via email, the email arrives within 10 seconds of the job running, with the 124 lines displayed. Based on this, I don't believe it is an email issue.

Can't figure out why a simple CSV will not be generated and emailed. What (or where) should I look next? Is there some Splunk config switch that I need to turn on (or off)?

0 Karma
1 Solution

randymoore
Explorer

The problem was solved by upgrading from 6.3 to 6.4. Everything works like it supposed to now.

View solution in original post

0 Karma

randymoore
Explorer

The problem was solved by upgrading from 6.3 to 6.4. Everything works like it supposed to now.

0 Karma

Yasaswy
Contributor

Some good info here..

0 Karma

woodcock
Esteemed Legend

I would open a support case.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...