Splunk Enterprise Security

sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'

brotheh
New Member

I'm trying to dynamically add risk modifiers with sendalert for Enterprise Security. The ad-hoc search works and adds risk modifier event, but the saved search fails with the below error. I raised dispatch.ttl by a large amount for testing.
SEARCH:

| from datamodel:Intrusion_Detection
| search
[| inputlookup internal_ip | rename ip as src]

|get_asset(src)

| eval risk_object_type=if(isnotnull(src_nt_host),"system","unmanged_system")
| eval risk_score=if(risk_object_type="system",40,5)
| eval risk_object=if(isnotnull(src_nt_host),src_nt_host,src)
| sendalert risk

ERROR:

"sendmodalert - action=risk STDERR -
ERROR: [Errno 2] No such file or
directory:
u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'"

Any tips of where to turn from here?

0 Karma

timrich66
Communicator

I also have this issue.  Are there any solutions?  Thanks

0 Karma

zhangcongcong
Loves-to-Learn Lots

I  have the same question with you,do you have solved it?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Did you ever get a solution to this, I am having the same problem - the search runs when run manually and creates the risk index entries, but when run as a saved search gives me the same problem

0 Karma

sathim47
New Member

Facing same issue. Any solution for this ?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...