Hey there, 
i have wrote a custom command in order to execute whois querys using an internal whois server,
which expects csv files and returns json files containing the results.
The CSVs are sent using HTTP posts. I have used pythons request module for this.
As the company policy leaves no room for internet connections, i have manually imported the module.
If i remove the http request (call of the getWhoisInfo), the code works perfectly fine and writes "Test" to each event into the newly generated column.
As soon as i execute the function and hence make the http post, there seems to be some kind of conflict with splunk. It results with the error  "The external search command 'whois' did not return events in descending time order, as expected."

Has anyone an idea or faced similar issues?
Thanks a lot in Advance 🙂 

#!/usr/bin/env python

import sys
import os
import csv
import pathlib
import json

script_path = os.path.realpath(__file__)

sys.path.append(os.path.join(script_path,"requests-2.25.1"))
sys.path.append(os.path.join(script_path,"splunklib"))


import requests
from splunklib.searchcommands import dispatch, EventingCommand, Configuration, Option, validators

csv_header = "Query"

def createCSV(header,data):
    with open(os.path.join(pathlib.Path(__file__).parent.absolute(),"..","tmp","whois_temp.csv"), "w+", newline='\n') as tmpcsv:
        wr = csv.writer(tmpcsv, quoting=csv.QUOTE_NONE)
        wr.writerow([csv_header])
        wr.writerows(data)
    return os.path.join(pathlib.Path(__file__).parent.absolute(),"..","tmp","whois_temp.csv")

def getWhoisInfo(csv_file):
    response = requests.post("http://[TargetHost]:[TargetPort]/whois", files={'file': open(csv_file, "r")},timeout=2)
    print(response.status_code)
    if response.status_code == 200:
        return response.text
    else:
        return None

@Configuration()
class whoisCommand(EventingCommand):
    """ %(synopsis)

    ##Syntax

    %(syntax)

    ##Description

    %(description)

    """
    fieldname = Option(
        doc='''
        **Syntax:** **fieldname=***<fieldname>*
        **Description:** Name of the field that will hold the whois results''',
        require=True, validate=validators.Fieldname())

    def transform(self, records):
        rec = list(records)
        data = [[record["hosts"]] for record in rec if record["hosts"] != ""]
        tmp_csv = createCSV(csv_header, data)
        whois_response = getWhoisInfo(tmp_csv)
        for record in rec:
            record[self.fieldname] = "TEST"
        return rec


if __name__ == "__main__":
    dispatch(whoisCommand, sys.argv, sys.stdin, sys.stdout, __name__)

PS: setting overrides_timeorder to true will not help