Recently upgraded from 7.2.3 to 8.0 and a previously configured scheduled alert is not longer sending emails correctly. The search pulls from a lookup table that contains vulnerability scan data containing four fields: Hostname, Vulnerability, Priority, and Responsibility. What I'm trying to accomplish and what has been working up until the upgrade was that a map search would iterate over the hostnames, group all vulnerabilities for that host into a table, and send that as a separate email per host. So in this example, the subsearch would find up to 25 hosts and send 25 separate emails to an email address. | inputlookup vulnreporthostlookup.csv | stats values(Vulnerability) AS Vulnerability by Hostname | map maxsearches=25 search="|inputlookup vulnreporthostlookup.csv | search Hostname=\"$Hostname$\"| table Hostname, Vulnerability, Priority, Responsibility | sendemail to=username@domain.com from=splunkalert@domain.com subject=\"Scan result data for $result.Responsibility$ : $Hostname$\" message="" sendresults=true inline=true sendcsv=true" The error in python.log probably as something to do with it. It complains about authorization to run the subsearch I guess? I've checked and reapplied capabilities to my account and I'm a full admin. 2019-10-24 10:56:41,391 -0400 ERROR sendemail:1422 - [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/username/default_app/search/jobs/subsearch_1571928983.1146_1571929000.25?output_mode=json I understand that this could be a two-fold problem, one is that my syntax is not optimized for the job at hand and the other being something that broke permissions on upgrade. Does anyone have any thoughts? Need help. ... View more

Fairly new Splunk customer and I've been struggling with this for a bit. I am trying to develop a strategy around vulnerability scan data and being able to trigger a report that emails a summary of all vulnerabilities detected per device, one email per device. So far, I have taken the relevant data (Anything with a high CVSS score) and written it to a lookup table. This includes dns_name, plugin_name. From that lookup, I have done the following: |inputlookup vulnreportlookup.csv | stats values(plugin_name) as "Plugin" by dns_name | rename dns_name as "Device Name" | table "Device Name", Plugin This table is a rough approximation of what I need, with one row per device and all the vulnerabilities for that device in-row. I've tried appending to this a map search and adding a eval statement: |inputlookup vulnreportlookup.csv | stats values(plugin_name) as "Plugin" by dns_name | rename dns_name as "Device Name" | table "Device Name", Vulnerabilities | map search="| sendemail to=admin@mydomain.com subject=$result.DeviceName$ from=splunk@mydomain.com message=\"test test test\"" If I have 14 devices that I am testing, I will receive 14 emails where the subject line is "No subject" running this. I've tried different combinations of $result.DeviceName$, $DeviceName$, $result.dns_name$ with no success. From what I've read so far most of the questions on this forum that are similar have been around sending messages to different recipients based on the results. I am trying to aggregate the results per device and send one email per device. Any help? ... View more