Splunk Enterprise Security

Splunk Enterprise Security: Receiving errors ""A script exited abnormally" input=".\bin\xxxx.py" stanza="default" status="exited with code 1"". How to resolve?

Hi

I keep receiving this error message from Splunk Enterprise Security (ES) on my custom python application, though the application is running fine.

2017-02-20 17:00:06,348 ERROR pid=8860 tid=MainThread file=configuration_check.py:run:165 | status="completed" task="confcheck_script_errors" message="msg="A script exited abnormally" input=".\bin\xxxx.py" stanza="default" status="exited with code 1""
2017-02-20 17:00:06,404 ERROR pid=8860 tid=MainThread file=configuration_check.py:run:165 | status="completed" task="confcheck_script_errors" message="msg="A script exited abnormally" input=".\bin\yyyyy.py" stanza="default" status="exited with code 1"

anyone encounter this before? What is this error referring too and anyway to resolve/suppress this error?

I have included this in the local/inouts.conf but does not work.
[configuration_check://confcheck_script_errors]
suppress = ((streamfwd|splunk-(wmi.path|MonitorNoHandle.exe|winevtlog.exe|netmon.exe|perfmon.exe|regmon.exe|winprintmon.exe|admon.exe|powershell.exe)).*exited with code 1)

Thank you!

0 Karma

SplunkTrust
SplunkTrust

You are picking up that error message because your default stanza for checking scripts considers any non-zero return code (such as 1) to be an error. Your python script is returning a 1, so therefore it MUSt be an error, as far as that stanza is concerned.

Your options are (1) if the script is returning 1 and does not have an error, fix the script to return zero (2) if the script is properly returning a 1 which is not an error, then point the script at something other than the default.

This page is very similar, but his solution was to copy code from an older version you wouldn't have. https://answers.splunk.com/answers/329819/alert-manager-script-exit-status-1.html

On this page, the error was bad indenting on the python script -
https://answers.splunk.com/answers/145246/external-search-command-mypythonfile-returned-error-code-1...

Additional information here - https://answers.splunk.com/answers/99328/why-i-get-error-code-1.html

Here's another case where it was an error in the python code - https://answers.splunk.com/answers/189517/why-am-i-getting-error-code-1-for-my-python-script.html

So, assuming the above survey of prior posts about this is typical, you probably have an error in your python code. If you post it here, maybe we can give you more help.

Hi,

Thanks for the suggestion. Are you able to elaborate the steps/any example for suggestion #2? What do you mean pointing the script to something other than the default?

(2) if the script is properly returning a 1 which is not an error, then point the script at something other than the default.

Thank you.

Here is the python script.

import re,collections,json,csv,sys,urllib,urllib2
import requests
import shutil,time,os
import splunk.entity as entity
import splunk.Intersplunk
import argparse

def sitereview(url,proxy,port,username,password):

httpproxy = "{0}:{1}@{2}:{3}".format(username,password,proxy,port)
proxy_handler = urllib2.ProxyHandler({'http': httpproxy})

opener = urllib2.build_opener(proxy_handler)
urllib2.install_opener(opener)

baseurl = 'http://xxx/rest/categorization'
query_args = {'url': url}
data = urllib.urlencode(query_args)
headers = {'User-Agent':'Mozilla 5.10'} 
request = urllib2.Request(baseurl, data, headers)
response = urllib2.urlopen(request) 
json = response.read()

return json

def getCredentials(sessionKey):## added for getting the credentials
myapp = 'abc-app'
try: #list all credentials

    entities = entity.getEntities("storage/passwords", namespace = myapp, owner = 'nobody', sessionKey = sessionKey)
except Exception, e:
    raise Exception("Could not get %s credentials from splunk. Error: %s" %(myapp, str(e)))

for i, c in entities.items():
    return c['username'], c['clear_password']
raise Exception("No credentials have been found")

def main():

databasefile = "localcat.txt"

date = time.strftime("%Y%m%d")
newfile = databasefile +"_"+ date
shutil.copyfile(databasefile, newfile)
os.remove(databasefile)
destination = open(databasefile, "w")
source = open(newfile, "r")

proxy = 'PROXY'
port = '80'
#username = 'USERNAME'
#password = 'PASSWORD'
## added for getting the credential from the sessionkey
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
sessionKey = settings['sessionKey']
if len(sessionKey) == 0:
  sys.stderr.write("Did not receive a session key from splunkd.")
  sys.exit(0)
username, password = getCredentials(sessionKey)

for line in source:

    time.sleep(10)
    if 'define category test_Incident' in line:
        destination.write(line)

    elif 'end' in line:
        destination.write(line)  
    else:  
        result_json = sitereview(line,proxy,port,username,password)
        parsed_json = json.loads(result_json)
        unrated = str(parsed_json['unrated'])

        if unrated.lower() == 'true':
            destination.write(line)

source.close()
destination.close()

main()

0 Karma