All Apps and Add-ons

Sendresults not working after upgrade

tmontney
Builder

From splunkd.log

 Traceback (most recent call last):
04-29-2020 10:15:14.055 -0500 ERROR sendmodalert - action=sendresults_alert STDERR -    File "C:\Program Files\Splunk\etc\apps\sendresults\bin\sendresults_alert.py", line 206, in <module>
04-29-2020 10:15:14.055 -0500 ERROR sendmodalert - action=sendresults_alert STDERR -      with gzip.open(payload.get('results_file'),'rt') as fin:
04-29-2020 10:15:14.055 -0500 ERROR sendmodalert - action=sendresults_alert STDERR -    File "C:\Program Files\Splunk\Python-2.7\lib\gzip.py", line 34, in open
04-29-2020 10:15:14.056 -0500 ERROR sendmodalert - action=sendresults_alert STDERR -      return GzipFile(filename, mode, compresslevel)
04-29-2020 10:15:14.057 -0500 ERROR sendmodalert - action=sendresults_alert STDERR -    File "C:\Program Files\Splunk\Python-2.7\lib\gzip.py", line 94, in __init__
04-29-2020 10:15:14.057 -0500 ERROR sendmodalert - action=sendresults_alert STDERR -      fileobj = self.myfileobj = __builtin__.open(filename, mode or 'rb')
04-29-2020 10:15:14.057 -0500 ERROR sendmodalert - action=sendresults_alert STDERR -  ValueError: Invalid mode ('rtb')
04-29-2020 10:15:14.613 -0500 INFO  sendmodalert - action=sendresults_alert - Alert action script completed in duration=1632 ms with exit code=1
04-29-2020 10:15:14.613 -0500 WARN  sendmodalert - action=sendresults_alert - Alert action script returned error code=1
04-29-2020 10:15:14.613 -0500 ERROR sendmodalert - Error in 'sendalert' command: Alert script returned error code 1.

sendresults.log didn't have anything but this. Doesn't appear in the logs until after the upgrade and the errors occur

2020-05-04 11:40:43,437 INFO invocation_id=123456789.12:1234invocation_type="action" py_version=sys.version_info(major=2, minor=7, micro=17, releaselevel='final', serial=0)

Rolled back to 4.0.1, working again. Splunk is on 8.0.2.

0 Karma
1 Solution

mockd
Path Finder

Hi,

I was able to reproduce this issue on Windows with V5.0.0 of sendresults. Turns out it's a python2/3 thing that got missed during our testing.

If you are on Windows + 8.0.x then I suggest setting Splunk to use python3 for the alert action version (make the change in local):

[sendresults_alert]
python.version = python3

If you are on Windows + 7.3.x then you will need to update line 206 of $SPLUNK_HOME/etc/apps/sendresults/bin/sendresults_alert.py
Change from this:

with gzip.open(payload.get('results_file'),'rt') as fin:

To This:

with gzip.open(payload.get('results_file'),'r') as fin:

If you make this change you will need to revert the change back if you upgrade to Splunk 8.0.x and apply the python version change as noted.

We will add an issue and address it properly in our next release. Thanks for letting us know about it. Feel free to email us at support@discoveredintelligence.ca if you have any other issues/questions about sendresults.

Thanks,
Derek.

View solution in original post

mockd
Path Finder

Hi,

I was able to reproduce this issue on Windows with V5.0.0 of sendresults. Turns out it's a python2/3 thing that got missed during our testing.

If you are on Windows + 8.0.x then I suggest setting Splunk to use python3 for the alert action version (make the change in local):

[sendresults_alert]
python.version = python3

If you are on Windows + 7.3.x then you will need to update line 206 of $SPLUNK_HOME/etc/apps/sendresults/bin/sendresults_alert.py
Change from this:

with gzip.open(payload.get('results_file'),'rt') as fin:

To This:

with gzip.open(payload.get('results_file'),'r') as fin:

If you make this change you will need to revert the change back if you upgrade to Splunk 8.0.x and apply the python version change as noted.

We will add an issue and address it properly in our next release. Thanks for letting us know about it. Feel free to email us at support@discoveredintelligence.ca if you have any other issues/questions about sendresults.

Thanks,
Derek.

tmontney
Builder

Yep, that worked, just needed a restart to take effect. Thanks!

0 Karma

mockd
Path Finder

Thanks for letting us know. I'll have to do some testing to try and reproduce it.

In the short term, could you try adjusting the python version to Python3 in alert_actions.conf (make the changes in local) to see if that resolves it?

[sendresults_alert]
python.version = python3

Let me know if that works.

0 Karma

tmontney
Builder

Sure I'll try that later today.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...