From splunkd.log
Traceback (most recent call last):
04-29-2020 10:15:14.055 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - File "C:\Program Files\Splunk\etc\apps\sendresults\bin\sendresults_alert.py", line 206, in <module>
04-29-2020 10:15:14.055 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - with gzip.open(payload.get('results_file'),'rt') as fin:
04-29-2020 10:15:14.055 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - File "C:\Program Files\Splunk\Python-2.7\lib\gzip.py", line 34, in open
04-29-2020 10:15:14.056 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - return GzipFile(filename, mode, compresslevel)
04-29-2020 10:15:14.057 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - File "C:\Program Files\Splunk\Python-2.7\lib\gzip.py", line 94, in __init__
04-29-2020 10:15:14.057 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - fileobj = self.myfileobj = __builtin__.open(filename, mode or 'rb')
04-29-2020 10:15:14.057 -0500 ERROR sendmodalert - action=sendresults_alert STDERR - ValueError: Invalid mode ('rtb')
04-29-2020 10:15:14.613 -0500 INFO sendmodalert - action=sendresults_alert - Alert action script completed in duration=1632 ms with exit code=1
04-29-2020 10:15:14.613 -0500 WARN sendmodalert - action=sendresults_alert - Alert action script returned error code=1
04-29-2020 10:15:14.613 -0500 ERROR sendmodalert - Error in 'sendalert' command: Alert script returned error code 1.
sendresults.log didn't have anything but this. Doesn't appear in the logs until after the upgrade and the errors occur
2020-05-04 11:40:43,437 INFO invocation_id=123456789.12:1234invocation_type="action" py_version=sys.version_info(major=2, minor=7, micro=17, releaselevel='final', serial=0)
Rolled back to 4.0.1, working again. Splunk is on 8.0.2.
Hi,
I was able to reproduce this issue on Windows with V5.0.0 of sendresults. Turns out it's a python2/3 thing that got missed during our testing.
If you are on Windows + 8.0.x then I suggest setting Splunk to use python3 for the alert action version (make the change in local):
[sendresults_alert]
python.version = python3
If you are on Windows + 7.3.x then you will need to update line 206 of $SPLUNK_HOME/etc/apps/sendresults/bin/sendresults_alert.py
Change from this:
with gzip.open(payload.get('results_file'),'rt') as fin:
To This:
with gzip.open(payload.get('results_file'),'r') as fin:
If you make this change you will need to revert the change back if you upgrade to Splunk 8.0.x and apply the python version change as noted.
We will add an issue and address it properly in our next release. Thanks for letting us know about it. Feel free to email us at support@discoveredintelligence.ca if you have any other issues/questions about sendresults.
Thanks,
Derek.
Hi,
I was able to reproduce this issue on Windows with V5.0.0 of sendresults. Turns out it's a python2/3 thing that got missed during our testing.
If you are on Windows + 8.0.x then I suggest setting Splunk to use python3 for the alert action version (make the change in local):
[sendresults_alert]
python.version = python3
If you are on Windows + 7.3.x then you will need to update line 206 of $SPLUNK_HOME/etc/apps/sendresults/bin/sendresults_alert.py
Change from this:
with gzip.open(payload.get('results_file'),'rt') as fin:
To This:
with gzip.open(payload.get('results_file'),'r') as fin:
If you make this change you will need to revert the change back if you upgrade to Splunk 8.0.x and apply the python version change as noted.
We will add an issue and address it properly in our next release. Thanks for letting us know about it. Feel free to email us at support@discoveredintelligence.ca if you have any other issues/questions about sendresults.
Thanks,
Derek.
Yep, that worked, just needed a restart to take effect. Thanks!
Thanks for letting us know. I'll have to do some testing to try and reproduce it.
In the short term, could you try adjusting the python version to Python3 in alert_actions.conf (make the changes in local) to see if that resolves it?
[sendresults_alert]
python.version = python3
Let me know if that works.
Sure I'll try that later today.