All Apps and Add-ons

DECRYPT - Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1.

ch1221
Path Finder

Trying to use the DECRYPT app and I keep getting an error.  I have it installed in a SH cluster and commands.conf has local=true and there is no streaming setting so that should default to false so it doesn't run on the indexers. 

However, I'm still getting errors from the indexers "Streamed search execute failed because: Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1"

https://splunkbase.splunk.com/app/2655/

Any suggestions?

Labels (1)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you tried explicitly setting streaming = false rather than letting it default?

Consider inserting a non-streaming command like table before the decrypt command to force the query to run on the SH.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

joao_amorim
Communicator

Decrypt v2.3.0 works fine with my Splunk v8.1.1 infra if I execute it at the end of a Splunk query.

If I run any command, like table or sendemail, after the decrypt command it fails with same error message.

Alert from saved search with decrypt command is not sent as well.

Could you please clarify.

0 Karma

mjz
Explorer

Try upgrading to 2.3.1 and see if the issue is resolved.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Hi mjz, just noticed the decrypt app is archived and wanted to check that was on purpose.

Thanks 

0 Karma

joao_amorim
Communicator

After upgrading the app, the error still occurs.

The decrypt command only works if at the end of a Splunk query.

If I run now sendemail after the decrypt I get:

External search command 'sendemail' returned error code 1. .

If I run any stats it just show no results found.

0 Karma

mjz
Explorer

A new version 2.3.1 will be pushed soon to fix this error. A workaround is to install the app on each of the indexers - though in your case it looks like you want to avoid utilizing the indexers - in which case you will want to continue to use the accepted answer even after the upgrade.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Which version?

 

https://community.splunk.com/t5/All-Apps-and-Add-ons/DECRYPT-version-2-2-why-is-local-true-in-comman...

There was an issue in 2.2.0 fixed in 2.2.1 where local=true was set but should not have been set.

Is this 2.2.1 or 2.3.0?

0 Karma

ch1221
Path Finder

DECRYPT  2.3.0

0 Karma

gjanders
SplunkTrust
SplunkTrust

Hmm, interesting in 2.2.1 I had:

[decrypt]
filename = decrypt.py
streaming = true

 

And that works, but decrypt 2.3.0 is a re-write so a bit different.

I found that there attempt to import StringIO fails in python3 in Splunk 8.0.x:

02-10-2021 04:02:50.355 INFO  ChunkedExternProcessor - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/decrypt/bin/decrypt.py
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/decrypt/bin/decrypt.py", line 12, in <module>
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr:     import decryptlib
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/decrypt/bin/decryptlib.py", line 1, in <module>
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr:     import StringIO
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: ModuleNotFoundError: No module named 'StringIO'
02-10-2021 04:02:50.495 ERROR ChunkedExternProcessor - EOF while attempting to read transport header read_size=0
02-10-2021 04:02:50.536 ERROR ChunkedExternProcessor - Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1.

 

If you override the python.version back to python2 in the commands.conf file (local/commands.conf) then it should work fine, however you then have the issue that the lib directory is not on the indexers so now it works on search heads but fails on indexers.

I updated decrypt.py to:

 

 

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "lib"))

 

 

And I moved the lib/splunklib to bin/lib/splunklib

That fixes my issue for getting it distributed across the indexers and not running on the SH exclusively. I cannot contact the author to let them know unfortunately 😞

0 Karma

gjanders
SplunkTrust
SplunkTrust
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried explicitly setting streaming = false rather than letting it default?

Consider inserting a non-streaming command like table before the decrypt command to force the query to run on the SH.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...