All Apps and Add-ons

Where to fix Splunk Machine Learning Tool kit: Error in 'fit' command: External search command exited unexpectedly.?



I just installed the ML toolkit for Splunk and am running into the below error every time I go to the showcase and attempt to use one of the dashboards and create a "fit model".

Error in 'fit' command: External search command exited unexpectedly.

I've also tested the SPL search using the fit command and I get the same error.

I've made sure to download Python for Scientific Computing Add-on specific to my OS (linux) prior to installing the ML toolkit and made sure that the permissions are all global.

Splunkd.log is only show the below error message:
07-26-2019 14:39:01.121 -0400 ERROR ChunkedExternProcessor - EOF while attempting to read transport header
07-26-2019 14:39:01.121 -0400 ERROR ChunkedExternProcessor - Error in 'fit' command: External search command exited unexpectedly.

Splunk version: 7.0.2

Has anyone run into this issue before with this app, or maybe a different app with the same error? The fit command is essentially a python script and I've been combing through the code, but can't determine which line the EOF error is referencing.

Labels (1)

Path Finder

I had a similar problem, I resolved it by trying of the different versions of Splunk_SA_Scientific_Python which were supposed to be compatible with the version of Splunk MLTK I was using. 

Splunk MLTK v540 is fully compatible to Splunk SA Scientific Python linux x86 64 v310

0 Karma

Path Finder

I found a solution to this problem. You need to update three Python packages that come as part of Splunk_SA_Scientific_Python_linux_x86_64 -- NumPy, SciPy and scikit_learn
To do this You need to do the following:

  1. Download from Python software repository latest numpy, scipy and scikit_learn packages (yum won't help because it downloads older versions)


  2. Install packages in system python

    pip install numpy-1.16.5-cp27-cp27mu-manylinux1_x86_64.whl
    pip install scipy-1.2.2-cp27-cp27mu-manylinux1_x86_64.whl
    pip install scikit_learn-0.20.4-cp27-cp27mu-manylinux1_x86_64.whl

  3. Make a backup of the original numpy, scipy and scikit_learn packages located in Splunk_SA_Scientific_Python_linux_x86_64

    mv $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/numpy $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/numpy.orig
    mv $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/scipy $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/scipy.orig
    mv $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/sklearn $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/sklearn.orig

  4. Copy installed packages from system python to Splunk_SA_Scientific_Python_linux_x86_64

    cp -r /usr/lib64/python2.7/site-packages/numpy* -t $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages
    cp -r /usr/lib64/python2.7/site-packages/scipy* -t $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages
    cp -r /usr/lib64/python2.7/site-packages/sklearn -t $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages
    All done, you can now run the search with the fit command (Splunk reboot is not required)

The numpy, scipy and scikit_learn packages in system python are no longer needed and you can remove them with the pip uninstall <package> command


This happens also with Splunk 8 and python 3, but I do not tried this fix yet.

0 Karma

Path Finder

I have the same problem. I researched the problem and found that the problem is in the numpy module.
The code of Python "import numpy as np" causes "Illegal instruction (core dumped)"
You can check this by running the command:
/opt/splunk/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/bin/python -c "import numpy as np"

You will see a lot of errors like "ERROR:root:code for hash xxxxx was not found." - that's okay.
If you have no problems with the "fit" command, then the last lines of the output will be:

ValueError: unsupported hash type sha512

If you have problems with the "fit" command, then the last lines of the output will be:

ValueError: unsupported hash type sha512
Illegal instruction (core dumped)

I have not yet found why the numpy module does not start...
I have Splunk 7.3.2, Splunk_SA_Scientific_Python_linux_x86_64 1.4 and Splunk_ML_Toolkit 4.4.1

0 Karma


Hi BigCosta

I am also getting the "Error in 'fit' command: External search command exited unexpectedly" error. I tried running python -c "import numpy as np" in /opt/splunk/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/bin, but I got the error message ImportError: No module named numpy. Does this mean we don't even have numpy installed?

We are running Splunk 7.3.3, Splunk Machine Learning Toolkit 4.5.0

0 Karma


Hi @BernardEAI ,

I solve the problem after install PSC 1.3 and fix some libraries problem on my Linux. On my Linux if I try to execute the command "openssl" I get some errors due to libraries not found. I fix the problem creating sym links to the right library with the right name. The version of MLTK is 4.5 also for me with Splunk 7.3.4.

Hope this help

Best Regards



Hi @eca 

Thanks for the tip on the PSC 1.3 - I installed this version and it solved the problem (without any other changes)! I'm very confused about why this is, and why there isn't better documentation on this.

Our current setup: Splunk Version:7.3.3, MLTK 4.2.0 and PSC 1.3.


Hello @BigCosta,

I have a problem similar to yours, were you able to address it?


Best Regards


0 Karma

Path Finder

Hi Emiliano!

Yes, i solved this problem.

Solution in my post in this thread from date 10-12-2019 08:41 PM.


0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...