All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does decrypt work in distributed search environments?

ltawfall
Path Finder
‎09-25-2015 10:20 AM

I can get this app to work fine, if I'm running in locally on an indexer. But not from a distributed search head.

index=_internal | decrypt field=sourcetype hex() emit('sourcetype')

Corresponding Errors:

[xxxxx] Streamed search execute failed because: Error in 'decrypt' command: Cannot find program 'decrypt' or script 'decrypt'.
[xxxxx] Streamed search execute failed because: Error in 'decrypt' command: Cannot find program 'decrypt' or script 'decrypt'.
[xxxxx] Streamed search execute failed because: Error in 'decrypt' command: Cannot find program 'decrypt' or script 'decrypt'.
[xxxxx] Streamed search execute failed because: Error in 'decrypt' command: Cannot find program 'decrypt' or script 'decrypt'.

Works when I go to each indexer and run the command but not from the search head.

I basically looking for any app/script that will do base64 decoding from a distributed set up. Thus far I can seem to find one.

Thanks,
Lisa

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-25-2015 03:35 PM

This app is missing a setting within the commands.conf. Add the following settings to decrypt/default/commands.conf local = true. If local=true, specifies that the command should be run on the search head only. The default is false. This should fix the issue.

Example commands.conf:

[decrypt]
filename = decrypt.py
streaming = true
# setting missing from
local = true

View solution in original post

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-25-2015 03:35 PM

This app is missing a setting within the commands.conf. Add the following settings to decrypt/default/commands.conf local = true. If local=true, specifies that the command should be run on the search head only. The default is false. This should fix the issue.

Example commands.conf:

[decrypt]
filename = decrypt.py
streaming = true
# setting missing from
local = true
Reply
Solved! Jump to solution

ltawfall
Path Finder
‎09-25-2015 07:55 PM

Yep, that totally did it. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...