We are having the same problem.
Splunk 4.3, Windows 2008 R2 fully patched. Splunk is running as a domain user with local admin privileges (even added all the security privileges required). Splunk's installed on the 😧 drive.
When I pipe results to 'sendemail' with all the appropriate settings I receive:
"External search command 'sendemail' returned error code 1."
We've rebuilt the OS, and even installed Splunk on a Windows 7 VM and the 'sendemail' command works just fine.
The 'splunkd.log' contains the following:
02-16-2012 10:40:26.759 -0800 ERROR
ScriptRunner - stderr from
'D:\Splunk\etc\apps\search\bin\sendemail.py':
ImportError: No module named site
02-16-2012 10:40:26.759 -0800 ERROR
ScriptRunner - extern write error:
errno=The pipe is being closed.
02-16-2012 10:40:26.790 -0800 ERROR
script - External search command
'sendemail' returned error code 1.
I added a 'PYTHONPATH' env. variable and pointed it to D:\Splunk\Python-2.7\lib, which caused the logged errors to change. Definitely something strange going on with the Python environment.
... View more