Recently upgraded from 7.2.3 to 8.0 and a previously configured scheduled alert is not longer sending emails correctly. The search pulls from a lookup table that contains vulnerability scan data containing four fields: Hostname, Vulnerability, Priority, and Responsibility. What I'm trying to accomplish and what has been working up until the upgrade was that a map search would iterate over the hostnames, group all vulnerabilities for that host into a table, and send that as a separate email per host. So in this example, the subsearch would find up to 25 hosts and send 25 separate emails to an email address.
| inputlookup vulnreporthostlookup.csv | stats values(Vulnerability) AS Vulnerability by Hostname | map maxsearches=25 search="|inputlookup vulnreporthostlookup.csv | search Hostname=\"$Hostname$\"| table Hostname, Vulnerability, Priority, Responsibility | sendemail to=username@domain.com from=splunkalert@domain.com subject=\"Scan result data for $result.Responsibility$ : $Hostname$\" message="" sendresults=true inline=true sendcsv=true"
The error in python.log probably as something to do with it. It complains about authorization to run the subsearch I guess? I've checked and reapplied capabilities to my account and I'm a full admin.
2019-10-24 10:56:41,391 -0400 ERROR sendemail:1422 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/username/default_app/search/jobs/subsearch_1571928983.1146_1571929...
I understand that this could be a two-fold problem, one is that my syntax is not optimized for the job at hand and the other being something that broke permissions on upgrade. Does anyone have any thoughts? Need help.
Hi @aallred, Did you got a chance to solve the problem, or do you have any workaround for your scenarios.
I am also facing the same problem right now. The same alert use to work in the 7.2.1 version and it is not working after I upgrade to 8.0.1.
Hi,
did you solve the problem?
I had this issue when running 8.0.3. I just upgraded to 8.0.5 and it works as expected.
Have you opened a support case for this? If there is an actual defect in 8.0 that is causing this issue, they can file it with the engineering team.
The subquery doesn't seem to have the session context.
"| sendemail [options] " called from parent search works fine.
"| sendemail [options]" in map command subquery returns:
ERROR sendemail:1435 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/auditadmin/auditreports/search/jobs/subsearch_1587751603.162_15877...
Traceback (most recent call last):
File "/export/appl/ela/apps/splunk/etc/apps/search/bin/sendemail.py", line 1428
and you got a fix for this? i am getting the same issue