Reporting

External search command sendfile returned error code 1

AdrianMCZ
Explorer

Hello everybody,

My first case to this community as I am relatively new to Splunk detailing, would be the following:

I am encountering: External search command 'sendfile' returned error code 1. for the below search.

The savedsearch returns the correct results while ran independently, but the output is always the same when trying to send an automated report running the job described. Worth mentioning that if I sample the results, the report is sent, otherwise Splunk spits the error I am facing.

Do you know where can I look to fix it?

Thank you in advance!

| savedsearch "savedsearchname"

| outputxls

[| stats count

| eval search=strftime(now(), "File_name_%Y%m%d.xlsx")

| fields search]

| sendfile "sender" "receiver"

[| stats count

| eval first=strftime(relative_time(now(),"-1y"), "Title of report - %d/%m/%Y")

| eval search = first+strftime(relative_time(now(),"@d")," and %d/%m/%Y")

| eval search = "\""+search+"\""

| fields search] "report testing insert text here"

[| stats count

| eval search=strftime(now(), "File_name_%Y%m%d.xlsx")

| fields search] "smtp.server"

Labels (3)
0 Karma
1 Solution

AdrianMCZ
Explorer

Weird that this error appeared each time but no correlation was found.

In fact, it is all about the number of results, which exceeded 40k and the e-mail was not sent with the automatic report.

I have reduced the time span for the search from 1 year to 6 months and it worked like a charm.

Closing this as a solution.

View solution in original post

0 Karma

AdrianMCZ
Explorer

Hi @kamlesh_vaghela splunkd.log states:

WARN HttpListener - Socket error from x.x.x.x:51229 while idling: error 14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'.

I have checked that the certificate presented by my HEC and it is valid by running  openssl s_client -connect your.splunk.hec.server:8088 as described in  TCPDUMP-Command and the certificates are self-signed, as No client certificate CA names sent is returned.


0 Karma

AdrianMCZ
Explorer

Weird that this error appeared each time but no correlation was found.

In fact, it is all about the number of results, which exceeded 40k and the e-mail was not sent with the automatic report.

I have reduced the time span for the search from 1 year to 6 months and it worked like a charm.

Closing this as a solution.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@AdrianMCZ 

Can you please check splunkd.log file for errors?

 

KV

Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...