Splunk Search

Why do we get this error when scheduling a search as a report: "line contains NULL byte")?


We have a search that runs fine but when we schedule it as a report, we don't get the e-mail and in _internal we see -

05-26-2020 17:10:25.215 -0400 ERROR ScriptRunner - stderr from '/opt/apps/splunk/bin/python /opt/apps/splunk/etc/apps/search/bin/sendemail.py "results_link=https://:8000/app/search/@go?sid=scheduler__myid__search__RMD593055a08ba8cd116_at_1590527400_77786" "ssname=My test" "graceful=True" "trigger_time=1590527424" results_file="/opt/apps/splunk/var/run/splunk/dispatch/scheduler__myid__search__RMD593055a08ba8cd116_at_1590527400_77786/results.csv.gz"':  _csv.Error: line contains NULL byte

What might be the problem?

0 Karma


The problem was that the developer inserted the NULL character using SED.

Before -

| rex mode=sed s/'//g | rex "session.radius.last.attr.class is (?<radius>\w+)" | rex mode=sed field=radius "s/([0-9A-Fa-f]{2})/%\1/g" | eval radius=urldecode(substr(radius,3)) 

After -

| rex "session.radius.last.attr.class is (?<radius>\w+)" | rex mode=sed field=radius "s/([0-9A-Fa-f]{2})/%\1/g" | eval radius=urldecode(substr(radius,3)) 

Sed works like s/replace-me/with-me/g = that would replace the string "replace-me" with "with-me". So the top (BEFORE) in the first SED replaced the single quote with nothing (NULL) Character. causing the issue – I didn't realize \w+ would match NULL bytes. But it certainly did.

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...