Splunk Enterprise

Error in 'prtglivedata' command: External search command exited unexpectedly with non-zero error code 1.

ssuluguri
Path Finder

Hi team,

I am getting below error for custom command . 

 "Error in 'prtglivedata' command: External search command exited unexpectedly with non-zero error code 1."

Can someone help .

Below are my default and local .conf file .

Default .

[prtglivedata]
filename = prtglivedata.py
chunked = true
enableheader = true
outputheader = true
requires_srinfo = true
supports_getinfo = true
supports_multivalues = true
supports_rawargs = true

 

Local conf file 

[prtglivedata]
filename = prtglivedata.py
chunked = true
enableheader = true
outputheader = true
requires_srinfo = true
supports_getinfo = true
supports_multivalues = true
supports_rawargs = true

Labels (1)
0 Karma

acharlieh
Influencer

You probably want to reach out to the developer of the custom addon to help with troubleshooting, if they still support it.

Quick search for prtglivedata and I found this app: https://splunkbase.splunk.com/app/3282 which is only marked as being supported on Splunk 7. (Which is of course End of life, and before the Python3 transition), but I'm not sure if thats your app or not.

These conf file configurations by themselves are slightly odd since they have both  chunked = true and arguments that only make sense for the original Intersplunk protocol. From commands.conf.spec

chunked = <boolean>
* Whether or not the search command supports the new "chunked" custom search
  command protocol.
* If set to "true", this command supports the new "chunked" custom
  search command protocol, and only the following commands.conf settings are valid:
  * 'is_risky'
  * 'maxwait'
  * 'maxchunksize'
  * 'filename'
  * 'command.arg.<N>'
  * 'python.version', and
  * 'run_in_preview'.
* If set to "false", this command uses the legacy custom search command
  protocol supported by Intersplunk.py.
* Default: false

 
For reference... the "new" protocol came about a really long time ago. (Splunk SDK changes to support chunked were back in 2015 so something like Splunk 6? ) 

You could try to look in the search log (see the job inspector), splunkd log, or python log (index=_internal) to see if any errors or stacktraces related to your script are emitted. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...