All Apps and Add-ons

Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1

raymond_prospec
New Member

When using the VirusTotal Malware Lookup (https://splunkbase.splunk.com/app/4283/) app (and after setting up the VT API Key) I get an error stating it returned a non-zero error code. It occurs when using real data and the test search | makeresults
| eval eicar="131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267"
| virustotal hash=eicar

The search.log entries I get are:

01-30-2020 10:54:37.983 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: \r
01-30-2020 10:54:37.997 ERROR ChunkedExternProcessor - Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1.
0 Karma

kkrishnan_splun
Splunk Employee
Splunk Employee

Is there any way to elaborate more on that solution ?

0 Karma

tomaszdziwok
Path Finder

Hi Raymond,

I have been able to reproduce the error on Windows Server 2016 with python3.
Fortunately the new version 2.1.0 of the VirusTotal TA seems to remedy the issue.
This new version is now available for download on SplunkBase (manually selectable in the version dropdown).

Version 2.0.0 was running and older version of "splunklib", that didn't officially support python3.
And although this wasn't an issue on Linux, it seems that windows line-breaks (\r\n) were causing problems.

Thanks,
Tomasz

0 Karma

tomaszdziwok
Path Finder

Hi,

I am one of the developers for VirusTotal Malware Lookup. Thanks for reporting the issue.
Unfortunately I haven't been able to replicate this error locally.
Could you share some more information about the specifics of the environment?

  • What version of Splunk are you using?
  • What Operating System is Splunk running on (if not in Splunk Cloud)?
  • What version of the Add-On are you using?
  • Are you seeing this issue in a Splunk Cloud or Splunk Enterprise deployment?
  • Are you using python2 or python3? (depending on the version of Splunk, you can use the following search to determine this: | rest /servicesNS/-/-/configs/conf-server/general | untable id, field, value | search field="python")
  • How long does the command run before it crashes (ERROR time - start time)?

Thanks,
Tomasz

0 Karma

raymond_prospec
New Member

What version of Splunk are you using? 8.0.1

What Operating System is Splunk running on (if not in Splunk Cloud)? Windows Server 2016 (moving to Linux soon)

What version of the Add-On are you using? 2.0.0

Are you seeing this issue in a Splunk Cloud or Splunk Enterprise deployment? Splunk Enterprise

Python verson? Python 3

How long does it run beofre it crashes? Almost immediately, maybe 1 or 2 seconds.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...