Hello,

I'm stuck. I can't get a simple alert against the source=WinEventLog:Security to send me a CSV file. This is on Splunk Enterprise v 6.3

The search that I am trying to do is simple

source=WinEventLog:Security | stats count by host

For this test, I have it set up to run as a cron every 5 minutes, with the checkbox set to create a CSV and email it to myself. It runs as expected. I can view the results in the *Triggered Alerts * and see that it creates 124 lines that look like

    host          count
    XX-APP01       31
    XX-APP02       25
    etc

However, no CSV is emailed to me.

Looking in python.log, sendemail does not generate an error message

When I change it to send a PDF via email, or show the results in-line via email, the email arrives within 10 seconds of the job running, with the 124 lines displayed. Based on this, I don't believe it is an email issue.

Can't figure out why a simple CSV will not be generated and emailed. What (or where) should I look next? Is there some Splunk config switch that I need to turn on (or off)?