Recently upgraded from 7.2.3 to 8.0 and a previously configured scheduled alert is not longer sending emails correctly. The search pulls from a lookup table that contains vulnerability scan data containing four fields: Hostname, Vulnerability, Priority, and Responsibility. What I'm trying to accomplish and what has been working up until the upgrade was that a map search would iterate over the hostnames, group all vulnerabilities for that host into a table, and send that as a separate email per host. So in this example, the subsearch would find up to 25 hosts and send 25 separate emails to an email address.
| inputlookup vulnreporthostlookup.csv | stats values(Vulnerability) AS Vulnerability by Hostname | map maxsearches=25 search="|inputlookup vulnreporthostlookup.csv | search Hostname=\"$Hostname$\"| table Hostname, Vulnerability, Priority, Responsibility | sendemail to=username@domain.com from=splunkalert@domain.com subject=\"Scan result data for $result.Responsibility$ : $Hostname$\" message="" sendresults=true inline=true sendcsv=true"
The error in python.log probably as something to do with it. It complains about authorization to run the subsearch I guess? I've checked and reapplied capabilities to my account and I'm a full admin.
2019-10-24 10:56:41,391 -0400 ERROR sendemail:1422 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/username/default_app/search/jobs/subsearch_1571928983.1146_1571929000.25?output_mode=json
I understand that this could be a two-fold problem, one is that my syntax is not optimized for the job at hand and the other being something that broke permissions on upgrade. Does anyone have any thoughts? Need help.
... View more