All Apps and Add-ons

Splunk Machine Learning Tool kit: Error in 'fit' command: External search command exited unexpectedly.

arlombar1
Explorer

Hello,

I just installed the ML toolkit for Splunk and am running into the below error every time I go to the showcase and attempt to use one of the dashboards and create a "fit model".

Error in 'fit' command: External search command exited unexpectedly.

I've also tested the SPL search using the fit command and I get the same error.

I've made sure to download Python for Scientific Computing Add-on specific to my OS (linux) prior to installing the ML toolkit and made sure that the permissions are all global.

Splunkd.log is only show the below error message:
07-26-2019 14:39:01.121 -0400 ERROR ChunkedExternProcessor - EOF while attempting to read transport header
07-26-2019 14:39:01.121 -0400 ERROR ChunkedExternProcessor - Error in 'fit' command: External search command exited unexpectedly.

Splunk version: 7.0.2

Has anyone run into this issue before with this app, or maybe a different app with the same error? The fit command is essentially a python script and I've been combing through the code, but can't determine which line the EOF error is referencing.

BigCosta
Path Finder

Hi!
I found a solution to this problem. You need to update three Python packages that come as part of Splunk_SA_Scientific_Python_linux_x86_64 -- NumPy, SciPy and scikit_learn
To do this You need to do the following:

  1. Download from Python software repository https://pypi.org/ latest numpy, scipy and scikit_learn packages (yum won't help because it downloads older versions)

    numpy-1.16.5-cp27-cp27mu-manylinux1_x86_64.whl
    scipy-1.2.2-cp27-cp27mu-manylinux1_x86_64.whl
    scikit_learn-0.20.4-cp27-cp27mu-manylinux1_x86_64.whl

  2. Install packages in system python

    pip install numpy-1.16.5-cp27-cp27mu-manylinux1_x86_64.whl
    pip install scipy-1.2.2-cp27-cp27mu-manylinux1_x86_64.whl
    pip install scikit_learn-0.20.4-cp27-cp27mu-manylinux1_x86_64.whl

  3. Make a backup of the original numpy, scipy and scikit_learn packages located in Splunk_SA_Scientific_Python_linux_x86_64

    mv $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/numpy $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/numpy.orig
    mv $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/scipy $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/scipy.orig
    mv $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/sklearn $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages/sklearn.orig

  4. Copy installed packages from system python to Splunk_SA_Scientific_Python_linux_x86_64

    cp -r /usr/lib64/python2.7/site-packages/numpy* -t $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages
    cp -r /usr/lib64/python2.7/site-packages/scipy* -t $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages
    cp -r /usr/lib64/python2.7/site-packages/sklearn -t $SPLUNK_HOME/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages
    All done, you can now run the search with the fit command (Splunk reboot is not required)

The numpy, scipy and scikit_learn packages in system python are no longer needed and you can remove them with the pip uninstall <package> command

fsaporito
Explorer

This happens also with Splunk 8 and python 3, but I do not tried this fix yet.

0 Karma

BigCosta
Path Finder

Hello!
I have the same problem. I researched the problem and found that the problem is in the numpy module.
The code of Python "import numpy as np" causes "Illegal instruction (core dumped)"
You can check this by running the command:
/opt/splunk/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/bin/python -c "import numpy as np"

You will see a lot of errors like "ERROR:root:code for hash xxxxx was not found." - that's okay.
If you have no problems with the "fit" command, then the last lines of the output will be:

ValueError: unsupported hash type sha512

If you have problems with the "fit" command, then the last lines of the output will be:

ValueError: unsupported hash type sha512
Illegal instruction (core dumped)

I have not yet found why the numpy module does not start...
I have Splunk 7.3.2, Splunk_SA_Scientific_Python_linux_x86_64 1.4 and Splunk_ML_Toolkit 4.4.1

0 Karma

BernardEAI
Communicator

Hi BigCosta

I am also getting the "Error in 'fit' command: External search command exited unexpectedly" error. I tried running python -c "import numpy as np" in /opt/splunk/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/bin, but I got the error message ImportError: No module named numpy. Does this mean we don't even have numpy installed?

We are running Splunk 7.3.3, Splunk Machine Learning Toolkit 4.5.0

0 Karma

eca
Engager

Hi @BernardEAI ,

I solve the problem after install PSC 1.3 and fix some libraries problem on my Linux. On my Linux if I try to execute the command "openssl" I get some errors due to libraries not found. I fix the problem creating sym links to the right library with the right name. The version of MLTK is 4.5 also for me with Splunk 7.3.4.

Hope this help

Best Regards

Emiliano

BernardEAI
Communicator

Hi @eca 

Thanks for the tip on the PSC 1.3 - I installed this version and it solved the problem (without any other changes)! I'm very confused about why this is, and why there isn't better documentation on this.

Our current setup: Splunk Version:7.3.3, MLTK 4.2.0 and PSC 1.3.

0 Karma

eca
Engager

Hello @BigCosta,

I have a problem similar to yours, were you able to address it?

Thanks

Best Regards

Emiliano

0 Karma

BigCosta
Path Finder

Hi Emiliano!

Yes, i solved this problem.

Solution in my post in this thread from date 10-12-2019 08:41 PM.

 

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...