All Apps and Add-ons

Unknown search command 'base64'

da029jo
Explorer

Hi,

We had this app deployed in our Splunk Cloud instance running 6.4 it worked fine. We have now upgraded to 6.5 and when we run the following search:
index=* | eval base64_decode = "dzAwdCwgdGhpcyBpcyBkZWNvZGVkIHN1Y2Nlc3NmdWxseSAhIQ==" | base64 field=base64_decode action=decode | table base64_decode

We get errors like this:
Search Factory: Unknown search command 'base64'.

However if i change the search to this:
index=* | stats count | eval base64_decode = "dzAwdCwgdGhpcyBpcyBkZWNvZGVkIHN1Y2Nlc3NmdWxseSAhIQ==" | base64 field=base64_decode action=decode | table base64_decode

It works. This is not a fix of course but does seem to imply that the fucntion is present and works under some conditions. Is anyone able to explain this so that we can get it working for the first example as this is how we need it to work.

Thanks,

Tags (2)
1 Solution

mafisher_splunk
Splunk Employee
Splunk Employee

What would appear to be happening here is that, though the necessary binaries for base64 are being replicated to the indexers in the replication bundle, they are not executing successfully. The app itself utilises splunklib (a version dated in 2014) and, as has already been said, is only supporting up to 6.3 officially. In other words, behavioral bets are kind of off.

That said, I have successfully installed the app on the indexers of a test system running 6.5, and the search commands now operate as expected. It seems, when not distributed via bundle replication, this works in 6.5.

View solution in original post

paqua77
Explorer

To get around putting the app on the indexers (indexer load).

Just before the base64 command run the "| localop" command

Index=indexname sourcetype=sourcetypename
| localop
| base64 field=warnDataType action=decode mode=replace suppress_error=True

mafisher_splunk
Splunk Employee
Splunk Employee

What would appear to be happening here is that, though the necessary binaries for base64 are being replicated to the indexers in the replication bundle, they are not executing successfully. The app itself utilises splunklib (a version dated in 2014) and, as has already been said, is only supporting up to 6.3 officially. In other words, behavioral bets are kind of off.

That said, I have successfully installed the app on the indexers of a test system running 6.5, and the search commands now operate as expected. It seems, when not distributed via bundle replication, this works in 6.5.

thisissplunk
Builder

So what's the fix besides manually deploying? To remake the command with the new way (v2)? I'm having the same exact issue (and workaround fix) as you with one of my older custom commands. It's just a solo python script though. No other dependencies except the imports (math, csv, splunk, etc)

0 Karma

mattymo
Splunk Employee
Splunk Employee

in testing I did with another dev, I think its simply that the idx’s need to have the app installed as it doesn’t appear to look for what the search head says about bundles.

The way to do it now seems to just be to push the app to the cluster peers as well as the sh

- MattyMo
0 Karma

da029jo
Explorer

This is now being investigated by Splunk support due to the fact that the function works on Search head but not on the indexer.

0 Karma

thisissplunk
Builder

Same thing is happening to me. Local = true is fine, but I get the Search Factory error from each indexer when local = false in commands.conf. It also works when I do what the OP did with the stats command. How can I troubleshoot this further, or what is the solution?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

If you download the app, does its package include a readme or anything that dictates requirements for deployment?

0 Karma

da029jo
Explorer

Nope, it has nothing like that. Support are now looking into this. For now we have deployed an extra "stats" in our most used report as a workaround.

0 Karma

cmerriman
Super Champion

I don't know too much about this app, but here are the arguments for it:

field : field to encode or decode.
action : encode (default) or decode the content. Optional.
mode : replace the existing field content (default) or create a new field named base64 (mode append). Optional.
suppress_error : do not raise errors if set to True. Optional, default to False.

have you tried using suppress_error to see if that somehow fixes it? it does say on splunkbase it is only supported up to Splunk Version 6.3.
https://splunkbase.splunk.com/app/1922/#/details

0 Karma

paqua77
Explorer

To get around putting the app on the indexers (indexer load).

Just before the base64 command run the "| localop" command

Index=indexname sourcetype=sourcetypename
| localop
| base64 field=warnDataType action=decode mode=replace suppress_error=True

0 Karma

da029jo
Explorer

Thanks i tried that but no change.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...