Splunk Enterprise Security

sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'

brotheh
New Member

I'm trying to dynamically add risk modifiers with sendalert for Enterprise Security. The ad-hoc search works and adds risk modifier event, but the saved search fails with the below error. I raised dispatch.ttl by a large amount for testing.
SEARCH:

| from datamodel:Intrusion_Detection
| search
[| inputlookup internal_ip | rename ip as src]

|get_asset(src)

| eval risk_object_type=if(isnotnull(src_nt_host),"system","unmanged_system")
| eval risk_score=if(risk_object_type="system",40,5)
| eval risk_object=if(isnotnull(src_nt_host),src_nt_host,src)
| sendalert risk

ERROR:

"sendmodalert - action=risk STDERR -
ERROR: [Errno 2] No such file or
directory:
u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'"

Any tips of where to turn from here?

0 Karma

timrich66
Communicator

I also have this issue.  Are there any solutions?  Thanks

0 Karma

zhangcongcong
Loves-to-Learn Lots

I  have the same question with you,do you have solved it?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Did you ever get a solution to this, I am having the same problem - the search runs when run manually and creates the risk index entries, but when run as a saved search gives me the same problem

0 Karma

sathim47
New Member

Facing same issue. Any solution for this ?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>