Alerting

action=notable STDERR - ERROR: [Errno 13] Permission denied

leuorrouel
Loves-to-Learn

SPL Query:
index=_internal sourcetype=splunkd component=sendmodalert action=notable

Output:

10-27-2021 16:31:01.962 +0200 WARN  sendmodalert - action=notable - Alert action script returned error code=3
10-27-2021 16:31:01.962 +0200 INFO  sendmodalert - action=notable - Alert action script completed in duration=103 ms with exit code=3
10-27-2021 16:31:01.962 +0200 ERROR  sendmodalert - action=notable STDERR - ERROR: [Errno 13] Permission denied
10-27-2021 16:31:01.858 +0200 INFO  sendmodalert - Invoking modular alert action=notable for search="Threat - ....... - Rule" sid="......" in app="SplunkEnterpriseSecuritySuite" owner="......" type="saved" 

Dear all,

does someone know why permissions are denied for creating notable events in Enterprise Security (6.4.1) after a correlation search is triggered? The owner of the search has an ess_admin role.

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...