Splunk Search

Why do we get this error when scheduling a search as a report: "line contains NULL byte")?

danielbb
Motivator

We have a search that runs fine but when we schedule it as a report, we don't get the e-mail and in _internal we see -

05-26-2020 17:10:25.215 -0400 ERROR ScriptRunner - stderr from '/opt/apps/splunk/bin/python /opt/apps/splunk/etc/apps/search/bin/sendemail.py "results_link=https://:8000/app/search/@go?sid=scheduler__myid__search__RMD593055a08ba8cd116_at_1590527400_77786" "ssname=My test" "graceful=True" "trigger_time=1590527424" results_file="/opt/apps/splunk/var/run/splunk/dispatch/scheduler__myid__search__RMD593055a08ba8cd116_at_1590527400_77786/results.csv.gz"':  _csv.Error: line contains NULL byte

What might be the problem?

0 Karma

danielbb
Motivator

The problem was that the developer inserted the NULL character using SED.

Before -

| rex mode=sed s/'//g | rex "session.radius.last.attr.class is (?<radius>\w+)" | rex mode=sed field=radius "s/([0-9A-Fa-f]{2})/%\1/g" | eval radius=urldecode(substr(radius,3)) 

After -

| rex "session.radius.last.attr.class is (?<radius>\w+)" | rex mode=sed field=radius "s/([0-9A-Fa-f]{2})/%\1/g" | eval radius=urldecode(substr(radius,3)) 

Sed works like s/replace-me/with-me/g = that would replace the string "replace-me" with "with-me". So the top (BEFORE) in the first SED replaced the single quote with nothing (NULL) Character. causing the issue – I didn't realize \w+ would match NULL bytes. But it certainly did.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...