When using the VirusTotal Malware Lookup (https://splunkbase.splunk.com/app/4283/) app (and after setting up the VT API Key) I get an error stating it returned a non-zero error code. It occurs when using real data and the test search
| eval eicar="131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267"
| virustotal hash=eicar
The search.log entries I get are:
01-30-2020 10:54:37.983 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: \r 01-30-2020 10:54:37.997 ERROR ChunkedExternProcessor - Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1.
Is there any way to elaborate more on that solution ?
I have been able to reproduce the error on Windows Server 2016 with python3.
Fortunately the new version 2.1.0 of the VirusTotal TA seems to remedy the issue.
This new version is now available for download on SplunkBase (manually selectable in the version dropdown).
Version 2.0.0 was running and older version of "splunklib", that didn't officially support python3.
And although this wasn't an issue on Linux, it seems that windows line-breaks (\r\n) were causing problems.
I am one of the developers for VirusTotal Malware Lookup. Thanks for reporting the issue.
Unfortunately I haven't been able to replicate this error locally.
Could you share some more information about the specifics of the environment?
What version of Splunk are you using? 8.0.1
What Operating System is Splunk running on (if not in Splunk Cloud)? Windows Server 2016 (moving to Linux soon)
What version of the Add-On are you using? 2.0.0
Are you seeing this issue in a Splunk Cloud or Splunk Enterprise deployment? Splunk Enterprise
Python verson? Python 3
How long does it run beofre it crashes? Almost immediately, maybe 1 or 2 seconds.