Trying to use the DECRYPT app and I keep getting an error. I have it installed in a SH cluster and commands.conf has local=true and there is no streaming setting so that should default to false so it doesn't run on the indexers.
However, I'm still getting errors from the indexers "Streamed search execute failed because: Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1"
https://splunkbase.splunk.com/app/2655/
Any suggestions?
Have you tried explicitly setting streaming = false rather than letting it default?
Consider inserting a non-streaming command like table before the decrypt command to force the query to run on the SH.
Decrypt v2.3.0 works fine with my Splunk v8.1.1 infra if I execute it at the end of a Splunk query.
If I run any command, like table or sendemail, after the decrypt command it fails with same error message.
Alert from saved search with decrypt command is not sent as well.
Could you please clarify.
Try upgrading to 2.3.1 and see if the issue is resolved.
Hi mjz, just noticed the decrypt app is archived and wanted to check that was on purpose.
Thanks
After upgrading the app, the error still occurs.
The decrypt command only works if at the end of a Splunk query.
If I run now sendemail after the decrypt I get:
External search command 'sendemail' returned error code 1. .
If I run any stats it just show no results found.
A new version 2.3.1 will be pushed soon to fix this error. A workaround is to install the app on each of the indexers - though in your case it looks like you want to avoid utilizing the indexers - in which case you will want to continue to use the accepted answer even after the upgrade.
Which version?
There was an issue in 2.2.0 fixed in 2.2.1 where local=true was set but should not have been set.
Is this 2.2.1 or 2.3.0?
DECRYPT 2.3.0
Hmm, interesting in 2.2.1 I had:
[decrypt]
filename = decrypt.py
streaming = true
And that works, but decrypt 2.3.0 is a re-write so a bit different.
I found that there attempt to import StringIO fails in python3 in Splunk 8.0.x:
02-10-2021 04:02:50.355 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/decrypt/bin/decrypt.py 02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last): 02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/decrypt/bin/decrypt.py", line 12, in <module> 02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: import decryptlib 02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/decrypt/bin/decryptlib.py", line 1, in <module> 02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: import StringIO 02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: ModuleNotFoundError: No module named 'StringIO' 02-10-2021 04:02:50.495 ERROR ChunkedExternProcessor - EOF while attempting to read transport header read_size=0 02-10-2021 04:02:50.536 ERROR ChunkedExternProcessor - Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1.
If you override the python.version back to python2 in the commands.conf file (local/commands.conf) then it should work fine, however you then have the issue that the lib directory is not on the indexers so now it works on search heads but fails on indexers.
I updated decrypt.py to:
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "lib"))
And I moved the lib/splunklib to bin/lib/splunklib
That fixes my issue for getting it distributed across the indexers and not running on the SH exclusively. I cannot contact the author to let them know unfortunately 😞
Have you tried explicitly setting streaming = false rather than letting it default?
Consider inserting a non-streaming command like table before the decrypt command to force the query to run on the SH.