Splunk Enterprise Security

Example of "adaptive response action" execute error


Hi Splunkers,
I followed the example of "adaptive response action" in this website https://dev.splunk.com/view/enterprise-security/SP-CAAAFBH
All i did was the same as this document described,when i filled splunk search box like :

| makeresults | eval user="example@example.com"| sendalert haveibeenpwned param.parameter_field=user

it displayed error words liked :
Error in 'sendalert' command: Alert script returned error code 1.

there were no debugging log here(i didnot know where to check the log).
i had checked the code and config file very carefully.Had anyone encountered the above situation?
if you had followed this example successfully (Can you provide your app?).
i need you help ,tks.

0 Karma

Splunk Employee
Splunk Employee

Check the search.log for the query you perform. This is under the Job > Inspect Job sub-menu near the time-picker.

Towards the end of the file, there should be a section for ERRORs thrown by the ScriptRunner component. Depending on if your script is written to send its errors to stderr (most are), you will see the error messages for the script.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...