After upgrade to 7.2.6, scheduled searches and/or alerts that would send PDF via email no longer work.
Running these searches manually ad-hoc produces the correct results expected. Previewing the PDF also works correctly, showing that the PDF is generated.
Looking in python.log, warnings are shown:
2019-04-25 03:01:02,688 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:02:02,839 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:02:02,872 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:02:02,904 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:03:03,140 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:03:03,146 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 03:10:03,206 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
2019-04-25 06:00:03,332 -0500 WARNING sendemail:1398 - search results is empty, no email will be sent
We are able to reproduce this in our repro environments.
This is a known issue SPL-169625 which will be fixed in later version.
Current workaround is:
1. Replace 'sendemail.py' from 7.2.6 with the same file in version 7.2.5.1.
2. Edit the saved search in the "Search" field replace "| noop" with "| makeresults"
Find the file C:\Program Files\Splunk\etc\apps\search\bin\sendemail.py
Edit line 1392
if results:
-> if True:
Can fix the issue.
For workaround #2 do:
Goto Settings > All configurations > click on the _ScheduledView that you just created and the search field will default to "| noop". Change the Search default to "| makeresults" for it to work for now.
Are workaround's #1 and #2 two alternatives? Or do both need to be done?
Thanks
They are alternatives, you do not need to do both of them.
This is a known issue SPL-169625 which will be fixed in later version.
Current workaround is:
1. Replace 'sendemail.py' from 7.2.6 with the same file in version 7.2.5.1.
2. Edit the saved search in the "Search" field replace "| noop" with "| makeresults"
Please update https://docs.splunk.com/Documentation/Splunk/7.2.6/ReleaseNotes/Knownissues
Description of impact/defect is not clear. We have several customers relying on scheduled pdf - not working for some (upgraded installations).
I concur. Please update the release notes with detailed workarounds. Email reports failures from an enterprise level logging solution is not a small issue.