Solved: Permission Trouble with using Scheduled Export of ...

ferdbiffle · ‎03-30-2018

I'm trying to use the Scheduled Export of Indexed Data (SEND) to File modular alert to send a file to a specified folder on a Windows share. We are running Splunk on CentOS 7 running on the same V-Lan as the target domain of the share.

In the config for the modular alert:

Output Directory //hostname/sharename
Output Filename TestSchedExport.csv

When the alert runs I get the following results:

WARN sendmodalert - action=sendfile - Alert action script returned error code=2
INFO sendmodalert - action=sendfile - Alert action script completed in duration=45 ms with exit code=2
FATAL sendmodalert - action=sendfile STDERR - Failed trying to send file
ERROR sendmodalert - action=sendfile STDERR - [Errno 2] No such file or directory: u'/hostname/sharename/TestSchedExport1.csv'

My inkling is that I need to somehow modify the Python script that runs the modular alert to include authentication, but I am not Python conversant so I'm not sure where to start... Any takers out there?

Thanks,

Eric

ferdbiffle · ‎04-23-2018

We solved this issue by creating a CIFS mount to the Windows Share. We mount this at Splunk startup and utilize an AD service account/password to authenticate for the connection. All subsequent "send_file" actions write to the share flawlessly!

View solution in original post

ferdbiffle · ‎04-23-2018

We solved this issue by creating a CIFS mount to the Windows Share. We mount this at Splunk startup and utilize an AD service account/password to authenticate for the connection. All subsequent "send_file" actions write to the share flawlessly!

Permission Trouble with using Scheduled Export of Indexed Data (SEND) to File

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024