sendmodalert - action=risk STDERR - ERROR: [Errno...

brotheh · ‎03-31-2019

I'm trying to dynamically add risk modifiers with sendalert for Enterprise Security. The ad-hoc search works and adds risk modifier event, but the saved search fails with the below error. I raised dispatch.ttl by a large amount for testing.
SEARCH:

| from datamodel:Intrusion_Detection
| search
[| inputlookup internal_ip | rename ip as src]

|get_asset(src)

| eval risk_object_type=if(isnotnull(src_nt_host),"system","unmanged_system")
| eval risk_score=if(risk_object_type="system",40,5)
| eval risk_object=if(isnotnull(src_nt_host),src_nt_host,src)
| sendalert risk

ERROR:

"sendmodalert - action=risk STDERR -
ERROR: [Errno 2] No such file or
directory:
u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'"

Any tips of where to turn from here?

timrich66 · ‎08-02-2021

I also have this issue. Are there any solutions? Thanks

zhangcongcong · ‎09-23-2020

I have the same question with you,do you have solved it?

bowesmana · ‎09-29-2019

Did you ever get a solution to this, I am having the same problem - the search runs when run manually and creates the risk index entries, but when run as a saved search gives me the same problem

sathim47 · ‎01-20-2020

Facing same issue. Any solution for this ?

sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services