Splunk Enterprise Security

sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'

New Member

I'm trying to dynamically add risk modifiers with sendalert for Enterprise Security. The ad-hoc search works and adds risk modifier event, but the saved search fails with the below error. I raised dispatch.ttl by a large amount for testing.

| from datamodel:Intrusion_Detection
| search
[| inputlookup internal_ip | rename ip as src]


| eval risk_object_type=if(isnotnull(src_nt_host),"system","unmanged_system")
| eval risk_score=if(risk_object_type="system",40,5)
| eval risk_object=if(isnotnull(src_nt_host),src_nt_host,src)
| sendalert risk


"sendmodalert - action=risk STDERR -
ERROR: [Errno 2] No such file or

Any tips of where to turn from here?

0 Karma


I also have this issue.  Are there any solutions?  Thanks

0 Karma

Loves-to-Learn Lots

I  have the same question with you,do you have solved it?

0 Karma


Did you ever get a solution to this, I am having the same problem - the search runs when run manually and creates the risk index entries, but when run as a saved search gives me the same problem

0 Karma

New Member

Facing same issue. Any solution for this ?

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...