Splunk 8.0.4.1:
11-12-2020 06:29:03.713 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/decrypt/bin/decrypt.py 11-12-2020 06:29:03.770 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last): 11-12-2020 06:29:03.770 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/decrypt/bin/decrypt.py", line 12, in <module> 11-12-2020 06:29:03.771 ERROR ChunkedExternProcessor - stderr: import decryptlib 11-12-2020 06:29:03.771 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/decrypt/bin/decryptlib.py", line 1, in <module> 11-12-2020 06:29:03.771 ERROR ChunkedExternProcessor - stderr: import StringIO 11-12-2020 06:29:03.771 ERROR ChunkedExternProcessor - stderr: ModuleNotFoundError: No module named 'StringIO' 11-12-2020 06:29:03.777 ERROR ChunkedExternProcessor - EOF while attempting to read transport header read_size=0 11-12-2020 06:29:03.777 ERROR ChunkedExternProcessor - Error in 'decrypt' command: External search command exited unexpectedly with non-zero error code 1.
The library exists in python2 but not the local python3 install in 8.0.x (which is confusing)
Setting this back to python2 appears to work...
I realize that this is an old post but I came across this issue as well. I had a previous version installed and then installed 2.3.0. $SPLUNK_HOME/etc/apps/decrypt/bin/decryptlib.py was left from the previous version. Delete this file because the updated version now exists in $SPLUNK_HOME/etc/apps/decrypt/lib.
Building on @Unicron 's post above, if there is a decryptlib.pyc, delete that as well. That works for us.
I realize that this is an old post but I came across this issue as well. I had a previous version installed and then installed 2.3.0. $SPLUNK_HOME/etc/apps/decrypt/bin/decryptlib.py was left from the previous version. Delete this file because the updated version now exists in $SPLUNK_HOME/etc/apps/decrypt/lib.