Splunk Enterprise Security

sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'

brotheh
New Member

I'm trying to dynamically add risk modifiers with sendalert for Enterprise Security. The ad-hoc search works and adds risk modifier event, but the saved search fails with the below error. I raised dispatch.ttl by a large amount for testing.
SEARCH:

| from datamodel:Intrusion_Detection
| search
[| inputlookup internal_ip | rename ip as src]

|get_asset(src)

| eval risk_object_type=if(isnotnull(src_nt_host),"system","unmanged_system")
| eval risk_score=if(risk_object_type="system",40,5)
| eval risk_object=if(isnotnull(src_nt_host),src_nt_host,src)
| sendalert risk

ERROR:

"sendmodalert - action=risk STDERR -
ERROR: [Errno 2] No such file or
directory:
u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'"

Any tips of where to turn from here?

0 Karma

zhangcongcong
Loves-to-Learn Lots

I  have the same question with you,do you have solved it?

0 Karma

bowesmana
Champion

Did you ever get a solution to this, I am having the same problem - the search runs when run manually and creates the risk index entries, but when run as a saved search gives me the same problem

0 Karma

sathim47
New Member

Facing same issue. Any solution for this ?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!