All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1

raymond_prospec
New Member
‎01-29-2020 07:00 PM

When using the VirusTotal Malware Lookup (https://splunkbase.splunk.com/app/4283/) app (and after setting up the VT API Key) I get an error stating it returned a non-zero error code. It occurs when using real data and the test search | makeresults
| eval eicar="131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267"
| virustotal hash=eicar

The search.log entries I get are:

01-30-2020 10:54:37.983 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: \r
01-30-2020 10:54:37.997 ERROR ChunkedExternProcessor - Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1.
0 Karma
Reply

kkrishnan_splun
Splunk Employee
Splunk Employee
‎03-28-2020 08:08 PM

Is there any way to elaborate more on that solution ?

0 Karma
Reply

tomaszdziwok
Path Finder
‎02-12-2020 02:29 AM

Hi Raymond,

I have been able to reproduce the error on Windows Server 2016 with python3.
Fortunately the new version 2.1.0 of the VirusTotal TA seems to remedy the issue.
This new version is now available for download on SplunkBase (manually selectable in the version dropdown).

Version 2.0.0 was running and older version of "splunklib", that didn't officially support python3.
And although this wasn't an issue on Linux, it seems that windows line-breaks (\r\n) were causing problems.

Thanks,
Tomasz

0 Karma
Reply

tomaszdziwok
Path Finder
‎01-30-2020 08:04 AM

Hi,

I am one of the developers for VirusTotal Malware Lookup. Thanks for reporting the issue.
Unfortunately I haven't been able to replicate this error locally.
Could you share some more information about the specifics of the environment?

  • What version of Splunk are you using?
  • What Operating System is Splunk running on (if not in Splunk Cloud)?
  • What version of the Add-On are you using?
  • Are you seeing this issue in a Splunk Cloud or Splunk Enterprise deployment?
  • Are you using python2 or python3? (depending on the version of Splunk, you can use the following search to determine this: | rest /servicesNS/-/-/configs/conf-server/general | untable id, field, value | search field="python")
  • How long does the command run before it crashes (ERROR time - start time)?

Thanks,
Tomasz

0 Karma
Reply

raymond_prospec
New Member
‎02-11-2020 12:58 AM

What version of Splunk are you using? 8.0.1

What Operating System is Splunk running on (if not in Splunk Cloud)? Windows Server 2016 (moving to Linux soon)

What version of the Add-On are you using? 2.0.0

Are you seeing this issue in a Splunk Cloud or Splunk Enterprise deployment? Splunk Enterprise

Python verson? Python 3

How long does it run beofre it crashes? Almost immediately, maybe 1 or 2 seconds.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...