Hi guys, I've got a problem with my Splunk installation and I hope someone of you can help me to sort it out.
I have a very simple installation (it's just one host) that collects some log-files and handle some alerts.
For example, I have a search that counts the number of events occurred in the last minute and, when this number is greater than 30, it starts two different actions:
1. It sends me an email
2. It logs an event in another index by using the "Log Event" alert action.
Everything was working fine until yesterday, when the Log Event Action has stopped working with apparently no reasons.
I still continue to recive the email when the number of the events of the last minute is greater than 30 (so I'm sure that the search runs ok and that the actions are triggered) but no event is logged by the Log Event.
I tried to look at the log by using:
index=_internal log_level=ERROR
but the error message doesn't help me
07-20-2017 10:22:08.342 +0200 ERROR sendmodalert - Error in 'sendalert' command: Alert script returned error code 2.
07-20-2017 10:22:08.342 +0200 ERROR SearchScheduler - Error in 'sendalert' command: Alert script returned error code 2., search='sendalert logevent results_file="D:\\Splunk\\var\\run\\splunk\\dispatch\\scheduler__admin__search__RMD53ad9f93916647cdf_at_1500538920_15470\\results.csv.gz" results_link="http://srv-splunk:8000/app/search/@go?sid=scheduler__admin__search__RMD53ad9f93916647cdf_at_1500538920_15470"'
What's the meaning of this "error code 2"?
Any ideas?
Thanks a lot!
Davide
↧