Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SavedSearch running as type=Inline works, type=Saved fails - why?

bowesmana
SplunkTrust
SplunkTrust
‎09-30-2019 11:40 PM

I setup a saved search and it is failing to run. It is throwing an error in the gui

Error in 'sendalert' command: Alert script returned error code 3.

but I happened to create another when trying to debug it and that one worked. What I can see different is the the one that works has these two key lines in search.log

SavedSplunk - Savedsearch scheduling at the 'application' level is only effective the for 'nobody' user. Disabling schedule of savedsearch_ident="admin;SplunkEnterpriseSecuritySuite;Cancellations"

followed by

sendmodalert - Invoking modular alert action=risk for search="Cancellations" sid="scheduler__admin__SplunkEnterpriseSecuritySuite__Cancellations_at_1569907560_121" in app="SplunkEnterpriseSecuritySuite" owner="admin" type="**inline**"

whereas the failing one does not have the first line, but has this for the second

sendmodalert - Invoking modular alert action=risk for search="Cancellations" sid="scheduler__admin__SplunkEnterpriseSecuritySuite__Cancellations_at_1569910380_349" in app="SplunkEnterpriseSecuritySuite" owner="admin" type="**saved**"

key difference being type=inline vs saved

Just wondering what that first line means and if there is a way to always force a saved search to run inline in all cases

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2019 09:33 PM

The background to this is that I am running Enterprise Security. I was hoping to assign a risk score to multiple objects, but a correlation search cannot run more than one adaptive response action for risk.

So, I am implementing a saved search instead that will

  • create a score/object/type tuple for each search result
  • mvexpand on this field
  • Split out the field
  • Run "sendalert risk" for each of the resulting events

Appendpipe does not solve the problem for more than two risk objects, as you end up with 2^(n-1) events where n is the number of risk objects.

The saved search works when run manually, but fails when scheduled.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...