Splunk Enterprise Security
Highlighted

sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'

New Member

I'm trying to dynamically add risk modifiers with sendalert for Enterprise Security. The ad-hoc search works and adds risk modifier event, but the saved search fails with the below error. I raised dispatch.ttl by a large amount for testing.
SEARCH:

| from datamodel:IntrusionDetection
| search
[| inputlookup internal
ip | rename ip as src]

|get_asset(src)

| eval riskobjecttype=if(isnotnull(srcnthost),"system","unmangedsystem")
| eval risk
score=if(riskobjecttype="system",40,5)
| eval riskobject=if(isnotnull(srcnthost),srcnt_host,src)
| sendalert risk

ERROR:

"sendmodalert - action=risk STDERR -
ERROR: [Errno 2] No such file or
directory:
u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'"

Any tips of where to turn from here?

0 Karma
Highlighted

Re: sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'

Motivator

Did you ever get a solution to this, I am having the same problem - the search runs when run manually and creates the risk index entries, but when run as a saved search gives me the same problem

0 Karma
Highlighted

Re: sendmodalert - action=risk STDERR - ERROR: [Errno 2] No such file or directory: u'/opt/splunk/var/run/splunk/dispatch/scheduler***/results.csv.gz'

New Member

Facing same issue. Any solution for this ?

0 Karma