A saved search that ends with
| sendalert risk param.riskscore=risk_score
runs fine, but fails when run as a saved search with the error
Error in 'sendalert' command: Alert script returned error code 3.
and in search.log just before it shows
sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler__admin__XX/results.srs.gz'
Anyone run risk actions from saved searches successfully?