Solved: Why is my scheduled Alert not emailing me a CSV fi...

randymoore · ‎06-27-2016

Hello,

I'm stuck. I can't get a simple alert against the source=WinEventLog:Security to send me a CSV file. This is on Splunk Enterprise v 6.3

The search that I am trying to do is simple

source=WinEventLog:Security | stats count by host

For this test, I have it set up to run as a cron every 5 minutes, with the checkbox set to create a CSV and email it to myself. It runs as expected. I can view the results in the *Triggered Alerts * and see that it creates 124 lines that look like

    host          count
    XX-APP01       31
    XX-APP02       25
    etc

However, no CSV is emailed to me.

Looking in python.log, sendemail does not generate an error message

When I change it to send a PDF via email, or show the results in-line via email, the email arrives within 10 seconds of the job running, with the 124 lines displayed. Based on this, I don't believe it is an email issue.

Can't figure out why a simple CSV will not be generated and emailed. What (or where) should I look next? Is there some Splunk config switch that I need to turn on (or off)?

randymoore · ‎07-01-2016

The problem was solved by upgrading from 6.3 to 6.4. Everything works like it supposed to now.

View solution in original post

randymoore · ‎07-01-2016

The problem was solved by upgrading from 6.3 to 6.4. Everything works like it supposed to now.

Yasaswy · ‎06-28-2016

Some good info here..

woodcock · ‎06-28-2016

I would open a support case.

Why is my scheduled Alert not emailing me a CSV file?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life