All Apps and Add-ons

DECRYPT - Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1.

ch1221
Path Finder

Trying to use the DECRYPT app and I keep getting an error.  I have it installed in a SH cluster and commands.conf has local=true and there is no streaming setting so that should default to false so it doesn't run on the indexers. 

However, I'm still getting errors from the indexers "Streamed search execute failed because: Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1"

https://splunkbase.splunk.com/app/2655/

Any suggestions?

Labels (1)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you tried explicitly setting streaming = false rather than letting it default?

Consider inserting a non-streaming command like table before the decrypt command to force the query to run on the SH.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

joao_amorim
Communicator

Decrypt v2.3.0 works fine with my Splunk v8.1.1 infra if I execute it at the end of a Splunk query.

If I run any command, like table or sendemail, after the decrypt command it fails with same error message.

Alert from saved search with decrypt command is not sent as well.

Could you please clarify.

0 Karma

mjz
Explorer

Try upgrading to 2.3.1 and see if the issue is resolved.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Hi mjz, just noticed the decrypt app is archived and wanted to check that was on purpose.

Thanks 

0 Karma

joao_amorim
Communicator

After upgrading the app, the error still occurs.

The decrypt command only works if at the end of a Splunk query.

If I run now sendemail after the decrypt I get:

External search command 'sendemail' returned error code 1. .

If I run any stats it just show no results found.

0 Karma

mjz
Explorer

A new version 2.3.1 will be pushed soon to fix this error. A workaround is to install the app on each of the indexers - though in your case it looks like you want to avoid utilizing the indexers - in which case you will want to continue to use the accepted answer even after the upgrade.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Which version?

 

https://community.splunk.com/t5/All-Apps-and-Add-ons/DECRYPT-version-2-2-why-is-local-true-in-comman...

There was an issue in 2.2.0 fixed in 2.2.1 where local=true was set but should not have been set.

Is this 2.2.1 or 2.3.0?

0 Karma

ch1221
Path Finder

DECRYPT  2.3.0

0 Karma

gjanders
SplunkTrust
SplunkTrust

Hmm, interesting in 2.2.1 I had:

[decrypt]
filename = decrypt.py
streaming = true

 

And that works, but decrypt 2.3.0 is a re-write so a bit different.

I found that there attempt to import StringIO fails in python3 in Splunk 8.0.x:

02-10-2021 04:02:50.355 INFO  ChunkedExternProcessor - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/decrypt/bin/decrypt.py
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/decrypt/bin/decrypt.py", line 12, in <module>
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr:     import decryptlib
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/decrypt/bin/decryptlib.py", line 1, in <module>
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr:     import StringIO
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: ModuleNotFoundError: No module named 'StringIO'
02-10-2021 04:02:50.495 ERROR ChunkedExternProcessor - EOF while attempting to read transport header read_size=0
02-10-2021 04:02:50.536 ERROR ChunkedExternProcessor - Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1.

 

If you override the python.version back to python2 in the commands.conf file (local/commands.conf) then it should work fine, however you then have the issue that the lib directory is not on the indexers so now it works on search heads but fails on indexers.

I updated decrypt.py to:

 

 

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "lib"))

 

 

And I moved the lib/splunklib to bin/lib/splunklib

That fixes my issue for getting it distributed across the indexers and not running on the SH exclusively. I cannot contact the author to let them know unfortunately 😞

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried explicitly setting streaming = false rather than letting it default?

Consider inserting a non-streaming command like table before the decrypt command to force the query to run on the SH.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...