Hello,
I'm stuck. I can't get a simple alert against the source=WinEventLog:Security to send me a CSV file. This is on Splunk Enterprise v 6.3
The search that I am trying to do is simple
source=WinEventLog:Security | stats count by host
For this test, I have it set up to run as a cron every 5 minutes, with the checkbox set to create a CSV and email it to myself. It runs as expected. I can view the results in the *Triggered Alerts * and see that it creates 124 lines that look like
host count
XX-APP01 31
XX-APP02 25
etc
However, no CSV is emailed to me.
Looking in python.log, sendemail does not generate an error message
When I change it to send a PDF via email, or show the results in-line via email, the email arrives within 10 seconds of the job running, with the 124 lines displayed. Based on this, I don't believe it is an email issue.
Can't figure out why a simple CSV will not be generated and emailed. What (or where) should I look next? Is there some Splunk config switch that I need to turn on (or off)?
The problem was solved by upgrading from 6.3 to 6.4. Everything works like it supposed to now.
The problem was solved by upgrading from 6.3 to 6.4. Everything works like it supposed to now.
Some good info here..
I would open a support case.