All Apps and Add-ons

Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1

raymond_prospec
New Member

When using the VirusTotal Malware Lookup (https://splunkbase.splunk.com/app/4283/) app (and after setting up the VT API Key) I get an error stating it returned a non-zero error code. It occurs when using real data and the test search | makeresults
| eval eicar="131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267"
| virustotal hash=eicar

The search.log entries I get are:

01-30-2020 10:54:37.983 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: \r
01-30-2020 10:54:37.997 ERROR ChunkedExternProcessor - Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1.
0 Karma

jhilton90
Path Finder

I'm having the same issue on Splunk Cloud V9.0.2209.3.

I'm trying to query some urls in our logs using the following command

index=log_source category=log_category
| virustotal domain=properties.UrlChain

I get the following errors:

Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1.

Streamed search execute failed because: Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1..

0 Karma

kkrishnan_splun
Splunk Employee
Splunk Employee

Is there any way to elaborate more on that solution ?

0 Karma

tomaszdziwok
Path Finder

Hi Raymond,

I have been able to reproduce the error on Windows Server 2016 with python3.
Fortunately the new version 2.1.0 of the VirusTotal TA seems to remedy the issue.
This new version is now available for download on SplunkBase (manually selectable in the version dropdown).

Version 2.0.0 was running and older version of "splunklib", that didn't officially support python3.
And although this wasn't an issue on Linux, it seems that windows line-breaks (\r\n) were causing problems.

Thanks,
Tomasz

0 Karma

tomaszdziwok
Path Finder

Hi,

I am one of the developers for VirusTotal Malware Lookup. Thanks for reporting the issue.
Unfortunately I haven't been able to replicate this error locally.
Could you share some more information about the specifics of the environment?

  • What version of Splunk are you using?
  • What Operating System is Splunk running on (if not in Splunk Cloud)?
  • What version of the Add-On are you using?
  • Are you seeing this issue in a Splunk Cloud or Splunk Enterprise deployment?
  • Are you using python2 or python3? (depending on the version of Splunk, you can use the following search to determine this: | rest /servicesNS/-/-/configs/conf-server/general | untable id, field, value | search field="python")
  • How long does the command run before it crashes (ERROR time - start time)?

Thanks,
Tomasz

0 Karma

raymond_prospec
New Member

What version of Splunk are you using? 8.0.1

What Operating System is Splunk running on (if not in Splunk Cloud)? Windows Server 2016 (moving to Linux soon)

What version of the Add-On are you using? 2.0.0

Are you seeing this issue in a Splunk Cloud or Splunk Enterprise deployment? Splunk Enterprise

Python verson? Python 3

How long does it run beofre it crashes? Almost immediately, maybe 1 or 2 seconds.

0 Karma
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...