Hi Bob

I tried the workaround but the results are same.

Kindly advice

Hi Bob

Tks for the reply.

Actually I need to set it to greater than 0 , because when I set the e-mail alert before
I used to get the blank pdf (specially when there are no events)

I will try the configuration and let you know the outcome.

Hi Muralee

This sounds to me like a permissions problem that will need to be sorted in the local.meta configuration file. Searches in some apps are not allocated an owner which would happen if they were created in the UI. This prevents issues if the account doesn't exist when the app is installed but occasionally it gets confused when it has been modified a couple of times by other users.

I would look in your $SPLUNK_HOME/etc/apps/SplunkPCIComplianceSuite/metadata/local.meta file for a stanza

[savedsearches/PCI%201.2%20-%20Rule%20-%20Detect%20Communication%20Directly%20To%20Untrusted%20From%20Trusted]

and add the following line below it replacing admin with a valid administrator account.

owner = admin

BUT

I think the underlying issue is more serious. You are masking a potential threat by changing this. There are three potential scenarios.

1) you have an ip address marked as trusted that shouldn't be.

2) you have an ip address marked as untrusted that should be trusted.

3) Someone or something is making connections that shouldn't be allowed.

The first two can easily be remedied by editing your lookup file network_domain_list.csv the third should be investigated and possibly blocked by your firewall. Do you really want to ignore up to 5 instances of scenario 3.