Streamed Search Execute Failed Because: Error in '...

JoshuaJJ · ‎03-20-2024

Good morning,

I am having issues with admon and running into this error:

Streamed Search Execute Failed Because: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/var/run/searchpeers/B3E####/apps/Splunk_TA_Windows/bin/user_account_control_property.py'..

Transforms on indexer

#########Active Directory ##########

[user_account_control_property]

external_cmd = user_account_control_property.py userAccountControl userAccountPropertyFlad

external_type = python

field_list = userAccountControl, userAccountPropertyFlag

python.version = python3

Script is located within the bin directory of the App .../bin/user_account_control_property

The error is happening when I run this search index=test source=ActiveDirectory

I have an app created called ADMON on the deployment server which is being deployed to my primary domain controllers. At first, I saw a ton of sync data, after that it was erroring out with the above error message.

marnall · ‎03-20-2024

At first glance it seems your field/argument "userAccountPropertyFlag" ends with a 'd' character when passed to the script: "userAccountPropertyFlad"

If that doesn't fix it, you may be able to find more informational errors by searching in the internal error logs relating to this script:

index=_internal user_account_control_property.py log_level=ERROR

Streamed Search Execute Failed Because: Error in 'lookup' command

other

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today