Splunk Enterprise Security
Highlighted

Use "sendalert risk" from saved search fails

Motivator

A saved search that ends with

| sendalert risk param.riskscore=risk_score

runs fine, but fails when run as a saved search with the error

Error in 'sendalert' command: Alert script returned error code 3.

and in search.log just before it shows

sendmodalert - action=risk STDERR -  ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler__admin__XX/results.srs.gz'

Anyone run risk actions from saved searches successfully?