Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SavedSearch running as type=Inline works, type=Saved fails - why?

bowesmana
SplunkTrust
SplunkTrust
‎09-30-2019 11:40 PM

I setup a saved search and it is failing to run. It is throwing an error in the gui

Error in 'sendalert' command: Alert script returned error code 3.

but I happened to create another when trying to debug it and that one worked. What I can see different is the the one that works has these two key lines in search.log

SavedSplunk - Savedsearch scheduling at the 'application' level is only effective the for 'nobody' user. Disabling schedule of savedsearch_ident="admin;SplunkEnterpriseSecuritySuite;Cancellations"

followed by

sendmodalert - Invoking modular alert action=risk for search="Cancellations" sid="scheduler__admin__SplunkEnterpriseSecuritySuite__Cancellations_at_1569907560_121" in app="SplunkEnterpriseSecuritySuite" owner="admin" type="**inline**"

whereas the failing one does not have the first line, but has this for the second

sendmodalert - Invoking modular alert action=risk for search="Cancellations" sid="scheduler__admin__SplunkEnterpriseSecuritySuite__Cancellations_at_1569910380_349" in app="SplunkEnterpriseSecuritySuite" owner="admin" type="**saved**"

key difference being type=inline vs saved

Just wondering what that first line means and if there is a way to always force a saved search to run inline in all cases

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2019 09:33 PM

The background to this is that I am running Enterprise Security. I was hoping to assign a risk score to multiple objects, but a correlation search cannot run more than one adaptive response action for risk.

So, I am implementing a saved search instead that will

  • create a score/object/type tuple for each search result
  • mvexpand on this field
  • Split out the field
  • Run "sendalert risk" for each of the resulting events

Appendpipe does not solve the problem for more than two risk objects, as you end up with 2^(n-1) events where n is the number of risk objects.

The saved search works when run manually, but fails when scheduled.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...