Hi,
We had this app deployed in our Splunk Cloud instance running 6.4 it worked fine. We have now upgraded to 6.5 and when we run the following search:
index=* | eval base64_decode = "dzAwdCwgdGhpcyBpcyBkZWNvZGVkIHN1Y2Nlc3NmdWxseSAhIQ==" | base64 field=base64_decode action=decode | table base64_decode
We get errors like this:
Search Factory: Unknown search command 'base64'.
However if i change the search to this:
index=* | stats count | eval base64_decode = "dzAwdCwgdGhpcyBpcyBkZWNvZGVkIHN1Y2Nlc3NmdWxseSAhIQ==" | base64 field=base64_decode action=decode | table base64_decode
It works. This is not a fix of course but does seem to imply that the fucntion is present and works under some conditions. Is anyone able to explain this so that we can get it working for the first example as this is how we need it to work.
Thanks,
What would appear to be happening here is that, though the necessary binaries for base64 are being replicated to the indexers in the replication bundle, they are not executing successfully. The app itself utilises splunklib (a version dated in 2014) and, as has already been said, is only supporting up to 6.3 officially. In other words, behavioral bets are kind of off.
That said, I have successfully installed the app on the indexers of a test system running 6.5, and the search commands now operate as expected. It seems, when not distributed via bundle replication, this works in 6.5.
To get around putting the app on the indexers (indexer load).
Just before the base64 command run the "| localop" command
Index=indexname sourcetype=sourcetypename
| localop
| base64 field=warnDataType action=decode mode=replace suppress_error=True
What would appear to be happening here is that, though the necessary binaries for base64 are being replicated to the indexers in the replication bundle, they are not executing successfully. The app itself utilises splunklib (a version dated in 2014) and, as has already been said, is only supporting up to 6.3 officially. In other words, behavioral bets are kind of off.
That said, I have successfully installed the app on the indexers of a test system running 6.5, and the search commands now operate as expected. It seems, when not distributed via bundle replication, this works in 6.5.
So what's the fix besides manually deploying? To remake the command with the new way (v2)? I'm having the same exact issue (and workaround fix) as you with one of my older custom commands. It's just a solo python script though. No other dependencies except the imports (math, csv, splunk, etc)
in testing I did with another dev, I think its simply that the idx’s need to have the app installed as it doesn’t appear to look for what the search head says about bundles.
The way to do it now seems to just be to push the app to the cluster peers as well as the sh
This is now being investigated by Splunk support due to the fact that the function works on Search head but not on the indexer.
Same thing is happening to me. Local = true is fine, but I get the Search Factory error from each indexer when local = false in commands.conf. It also works when I do what the OP did with the stats command. How can I troubleshoot this further, or what is the solution?
If you download the app, does its package include a readme or anything that dictates requirements for deployment?
Nope, it has nothing like that. Support are now looking into this. For now we have deployed an extra "stats" in our most used report as a workaround.
I don't know too much about this app, but here are the arguments for it:
field : field to encode or decode.
action : encode (default) or decode the content. Optional.
mode : replace the existing field content (default) or create a new field named base64 (mode append). Optional.
suppress_error : do not raise errors if set to True. Optional, default to False.
have you tried using suppress_error
to see if that somehow fixes it? it does say on splunkbase it is only supported up to Splunk Version 6.3.
https://splunkbase.splunk.com/app/1922/#/details
To get around putting the app on the indexers (indexer load).
Just before the base64 command run the "| localop" command
Index=indexname sourcetype=sourcetypename
| localop
| base64 field=warnDataType action=decode mode=replace suppress_error=True
Thanks i tried that but no change.