Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SavedSearch running as type=Inline works, type=Saved fails - why?

bowesmana
SplunkTrust
SplunkTrust
‎09-30-2019 11:40 PM

I setup a saved search and it is failing to run. It is throwing an error in the gui

Error in 'sendalert' command: Alert script returned error code 3.

but I happened to create another when trying to debug it and that one worked. What I can see different is the the one that works has these two key lines in search.log

SavedSplunk - Savedsearch scheduling at the 'application' level is only effective the for 'nobody' user. Disabling schedule of savedsearch_ident="admin;SplunkEnterpriseSecuritySuite;Cancellations"

followed by

sendmodalert - Invoking modular alert action=risk for search="Cancellations" sid="scheduler__admin__SplunkEnterpriseSecuritySuite__Cancellations_at_1569907560_121" in app="SplunkEnterpriseSecuritySuite" owner="admin" type="**inline**"

whereas the failing one does not have the first line, but has this for the second

sendmodalert - Invoking modular alert action=risk for search="Cancellations" sid="scheduler__admin__SplunkEnterpriseSecuritySuite__Cancellations_at_1569910380_349" in app="SplunkEnterpriseSecuritySuite" owner="admin" type="**saved**"

key difference being type=inline vs saved

Just wondering what that first line means and if there is a way to always force a saved search to run inline in all cases

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2019 09:33 PM

The background to this is that I am running Enterprise Security. I was hoping to assign a risk score to multiple objects, but a correlation search cannot run more than one adaptive response action for risk.

So, I am implementing a saved search instead that will

  • create a score/object/type tuple for each search result
  • mvexpand on this field
  • Split out the field
  • Run "sendalert risk" for each of the resulting events

Appendpipe does not solve the problem for more than two risk objects, as you end up with 2^(n-1) events where n is the number of risk objects.

The saved search works when run manually, but fails when scheduled.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...