Hmm, interesting in 2.2.1 I had: [decrypt] filename = decrypt.py streaming = true And that works, but decrypt 2.3.0 is a re-write so a bit different. I found that there attempt to import StringIO fails in python3 in Splunk 8.0.x: 02-10-2021 04:02:50.355 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/decrypt/bin/decrypt.py
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/decrypt/bin/decrypt.py", line 12, in <module>
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: import decryptlib
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/decrypt/bin/decryptlib.py", line 1, in <module>
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: import StringIO
02-10-2021 04:02:50.485 ERROR ChunkedExternProcessor - stderr: ModuleNotFoundError: No module named 'StringIO'
02-10-2021 04:02:50.495 ERROR ChunkedExternProcessor - EOF while attempting to read transport header read_size=0
02-10-2021 04:02:50.536 ERROR ChunkedExternProcessor - Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1. If you override the python.version back to python2 in the commands.conf file (local/commands.conf) then it should work fine, however you then have the issue that the lib directory is not on the indexers so now it works on search heads but fails on indexers. I updated decrypt.py to: sys.path.insert(0, os.path.join(os.path.dirname(__file__), "lib")) And I moved the lib/splunklib to bin/lib/splunklib That fixes my issue for getting it distributed across the indexers and not running on the SH exclusively. I cannot contact the author to let them know unfortunately 😞
... View more