Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SavedSearch running as type=Inline works, type=Saved fails - why?

bowesmana
SplunkTrust
SplunkTrust
‎09-30-2019 11:40 PM

I setup a saved search and it is failing to run. It is throwing an error in the gui

Error in 'sendalert' command: Alert script returned error code 3.

but I happened to create another when trying to debug it and that one worked. What I can see different is the the one that works has these two key lines in search.log

SavedSplunk - Savedsearch scheduling at the 'application' level is only effective the for 'nobody' user. Disabling schedule of savedsearch_ident="admin;SplunkEnterpriseSecuritySuite;Cancellations"

followed by

sendmodalert - Invoking modular alert action=risk for search="Cancellations" sid="scheduler__admin__SplunkEnterpriseSecuritySuite__Cancellations_at_1569907560_121" in app="SplunkEnterpriseSecuritySuite" owner="admin" type="**inline**"

whereas the failing one does not have the first line, but has this for the second

sendmodalert - Invoking modular alert action=risk for search="Cancellations" sid="scheduler__admin__SplunkEnterpriseSecuritySuite__Cancellations_at_1569910380_349" in app="SplunkEnterpriseSecuritySuite" owner="admin" type="**saved**"

key difference being type=inline vs saved

Just wondering what that first line means and if there is a way to always force a saved search to run inline in all cases

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-01-2019 09:33 PM

The background to this is that I am running Enterprise Security. I was hoping to assign a risk score to multiple objects, but a correlation search cannot run more than one adaptive response action for risk.

So, I am implementing a saved search instead that will

  • create a score/object/type tuple for each search result
  • mvexpand on this field
  • Split out the field
  • Run "sendalert risk" for each of the resulting events

Appendpipe does not solve the problem for more than two risk objects, as you end up with 2^(n-1) events where n is the number of risk objects.

The saved search works when run manually, but fails when scheduled.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...