I have set the alert to write the event to the index using the 'log event' action.
I am writing to a custom index named 'notable'. I have made sure that the index has been created on the search head and also added the capability 'edit_tcp' to the user role who owns the alert.
But when the alert is trying to execute the action, we are seeing the following error messages in Splunk's internal logs.
No events are being written to the index. I am not able to find any documentation on what the error code 2 means in this scenario.
If anyone has any idea, please let me know.
11-21-2019 07:00:17.684 -0600 WARN sendmodalert - action=logevent - Alert action script returned error code=2
11-21-2019 07:00:17.684 -0600 INFO sendmodalert - action=logevent - Alert action script completed in duration=97 ms with exit code=2
11-21-2019 07:00:17.678 -0600 ERROR sendmodalert - action=logevent STDERR - Error sending receiver request: HTTP Error 400: Bad Request
... View more