Reporting

External search command sendfile returned error code 1

AdrianMCZ
Explorer

Hello everybody,

My first case to this community as I am relatively new to Splunk detailing, would be the following:

I am encountering: External search command 'sendfile' returned error code 1. for the below search.

The savedsearch returns the correct results while ran independently, but the output is always the same when trying to send an automated report running the job described. Worth mentioning that if I sample the results, the report is sent, otherwise Splunk spits the error I am facing.

Do you know where can I look to fix it?

Thank you in advance!

| savedsearch "savedsearchname"

| outputxls

[| stats count

| eval search=strftime(now(), "File_name_%Y%m%d.xlsx")

| fields search]

| sendfile "sender" "receiver"

[| stats count

| eval first=strftime(relative_time(now(),"-1y"), "Title of report - %d/%m/%Y")

| eval search = first+strftime(relative_time(now(),"@d")," and %d/%m/%Y")

| eval search = "\""+search+"\""

| fields search] "report testing insert text here"

[| stats count

| eval search=strftime(now(), "File_name_%Y%m%d.xlsx")

| fields search] "smtp.server"

Labels (3)
0 Karma
1 Solution

AdrianMCZ
Explorer

Weird that this error appeared each time but no correlation was found.

In fact, it is all about the number of results, which exceeded 40k and the e-mail was not sent with the automatic report.

I have reduced the time span for the search from 1 year to 6 months and it worked like a charm.

Closing this as a solution.

View solution in original post

0 Karma

AdrianMCZ
Explorer

Hi @kamlesh_vaghela splunkd.log states:

WARN HttpListener - Socket error from x.x.x.x:51229 while idling: error 14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'.

I have checked that the certificate presented by my HEC and it is valid by running  openssl s_client -connect your.splunk.hec.server:8088 as described in  TCPDUMP-Command and the certificates are self-signed, as No client certificate CA names sent is returned.


0 Karma

AdrianMCZ
Explorer

Weird that this error appeared each time but no correlation was found.

In fact, it is all about the number of results, which exceeded 40k and the e-mail was not sent with the automatic report.

I have reduced the time span for the search from 1 year to 6 months and it worked like a charm.

Closing this as a solution.

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@AdrianMCZ 

Can you please check splunkd.log file for errors?

 

KV

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!