Splunk Enterprise Security

Using "sendalert risk" from saved search fails?

bowesmana
SplunkTrust
SplunkTrust

A saved search that ends with

| sendalert risk param._risk_score=risk_score

runs fine, but fails when run as a saved search with the error

Error in 'sendalert' command: Alert script returned error code 3.

and in search.log just before it shows

sendmodalert - action=risk STDERR -  ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler__admin__XX/results.srs.gz'

Anyone run risk actions from saved searches successfully?

Labels (1)

neelshah
Path Finder

This usually happens when there are 0 results from the preceding search. If the results are more than 0 then you'll not see this error.  

So its safe to ignore this.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...