All Apps and Add-ons

Unknown search command 'base64'

Explorer

Hi,

We had this app deployed in our Splunk Cloud instance running 6.4 it worked fine. We have now upgraded to 6.5 and when we run the following search:
index=* | eval base64decode = "dzAwdCwgdGhpcyBpcyBkZWNvZGVkIHN1Y2Nlc3NmdWxseSAhIQ==" | base64 field=base64decode action=decode | table base64_decode

We get errors like this:
Search Factory: Unknown search command 'base64'.

However if i change the search to this:
index=* | stats count | eval base64decode = "dzAwdCwgdGhpcyBpcyBkZWNvZGVkIHN1Y2Nlc3NmdWxseSAhIQ==" | base64 field=base64decode action=decode | table base64_decode

It works. This is not a fix of course but does seem to imply that the fucntion is present and works under some conditions. Is anyone able to explain this so that we can get it working for the first example as this is how we need it to work.

Thanks,

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

What would appear to be happening here is that, though the necessary binaries for base64 are being replicated to the indexers in the replication bundle, they are not executing successfully. The app itself utilises splunklib (a version dated in 2014) and, as has already been said, is only supporting up to 6.3 officially. In other words, behavioral bets are kind of off.

That said, I have successfully installed the app on the indexers of a test system running 6.5, and the search commands now operate as expected. It seems, when not distributed via bundle replication, this works in 6.5.

View solution in original post

Explorer

To get around putting the app on the indexers (indexer load).

Just before the base64 command run the "| localop" command

Index=indexname sourcetype=sourcetypename
| localop
| base64 field=warnDataType action=decode mode=replace suppress_error=True

Splunk Employee
Splunk Employee

What would appear to be happening here is that, though the necessary binaries for base64 are being replicated to the indexers in the replication bundle, they are not executing successfully. The app itself utilises splunklib (a version dated in 2014) and, as has already been said, is only supporting up to 6.3 officially. In other words, behavioral bets are kind of off.

That said, I have successfully installed the app on the indexers of a test system running 6.5, and the search commands now operate as expected. It seems, when not distributed via bundle replication, this works in 6.5.

View solution in original post

Builder

So what's the fix besides manually deploying? To remake the command with the new way (v2)? I'm having the same exact issue (and workaround fix) as you with one of my older custom commands. It's just a solo python script though. No other dependencies except the imports (math, csv, splunk, etc)

0 Karma

Splunk Employee
Splunk Employee

in testing I did with another dev, I think its simply that the idx’s need to have the app installed as it doesn’t appear to look for what the search head says about bundles.

The way to do it now seems to just be to push the app to the cluster peers as well as the sh

0 Karma

Explorer

This is now being investigated by Splunk support due to the fact that the function works on Search head but not on the indexer.

0 Karma

Builder

Same thing is happening to me. Local = true is fine, but I get the Search Factory error from each indexer when local = false in commands.conf. It also works when I do what the OP did with the stats command. How can I troubleshoot this further, or what is the solution?

0 Karma

Ultra Champion

If you download the app, does its package include a readme or anything that dictates requirements for deployment?

0 Karma

Explorer

Nope, it has nothing like that. Support are now looking into this. For now we have deployed an extra "stats" in our most used report as a workaround.

0 Karma

Super Champion

I don't know too much about this app, but here are the arguments for it:

field : field to encode or decode.
action : encode (default) or decode the content. Optional.
mode : replace the existing field content (default) or create a new field named base64 (mode append). Optional.
suppress_error : do not raise errors if set to True. Optional, default to False.

have you tried using suppress_error to see if that somehow fixes it? it does say on splunkbase it is only supported up to Splunk Version 6.3.
https://splunkbase.splunk.com/app/1922/#/details

0 Karma

Explorer

To get around putting the app on the indexers (indexer load).

Just before the base64 command run the "| localop" command

Index=indexname sourcetype=sourcetypename
| localop
| base64 field=warnDataType action=decode mode=replace suppress_error=True

0 Karma

Explorer

Thanks i tried that but no change.

0 Karma