Reporting

External search command sendfile returned error code 1

AdrianMCZ
Explorer

Hello everybody,

My first case to this community as I am relatively new to Splunk detailing, would be the following:

I am encountering: External search command 'sendfile' returned error code 1. for the below search.

The savedsearch returns the correct results while ran independently, but the output is always the same when trying to send an automated report running the job described. Worth mentioning that if I sample the results, the report is sent, otherwise Splunk spits the error I am facing.

Do you know where can I look to fix it?

Thank you in advance!

| savedsearch "savedsearchname"

| outputxls

[| stats count

| eval search=strftime(now(), "File_name_%Y%m%d.xlsx")

| fields search]

| sendfile "sender" "receiver"

[| stats count

| eval first=strftime(relative_time(now(),"-1y"), "Title of report - %d/%m/%Y")

| eval search = first+strftime(relative_time(now(),"@d")," and %d/%m/%Y")

| eval search = "\""+search+"\""

| fields search] "report testing insert text here"

[| stats count

| eval search=strftime(now(), "File_name_%Y%m%d.xlsx")

| fields search] "smtp.server"

Labels (3)
0 Karma
1 Solution

AdrianMCZ
Explorer

Weird that this error appeared each time but no correlation was found.

In fact, it is all about the number of results, which exceeded 40k and the e-mail was not sent with the automatic report.

I have reduced the time span for the search from 1 year to 6 months and it worked like a charm.

Closing this as a solution.

View solution in original post

0 Karma

AdrianMCZ
Explorer

Hi @kamlesh_vaghela splunkd.log states:

WARN HttpListener - Socket error from x.x.x.x:51229 while idling: error 14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'.

I have checked that the certificate presented by my HEC and it is valid by running  openssl s_client -connect your.splunk.hec.server:8088 as described in  TCPDUMP-Command and the certificates are self-signed, as No client certificate CA names sent is returned.


0 Karma

AdrianMCZ
Explorer

Weird that this error appeared each time but no correlation was found.

In fact, it is all about the number of results, which exceeded 40k and the e-mail was not sent with the automatic report.

I have reduced the time span for the search from 1 year to 6 months and it worked like a charm.

Closing this as a solution.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@AdrianMCZ 

Can you please check splunkd.log file for errors?

 

KV

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...