We have a search that runs fine but when we schedule it as a report, we don't get the e-mail and in _internal
we see -
05-26-2020 17:10:25.215 -0400 ERROR ScriptRunner - stderr from '/opt/apps/splunk/bin/python /opt/apps/splunk/etc/apps/search/bin/sendemail.py "results_link=https://:8000/app/search/@go?sid=scheduler__myid__search__RMD593055a08ba8cd116_at_1590527400_77786" "ssname=My test" "graceful=True" "trigger_time=1590527424" results_file="/opt/apps/splunk/var/run/splunk/dispatch/scheduler__myid__search__RMD593055a08ba8cd116_at_1590527400_77786/results.csv.gz"': _csv.Error: line contains NULL byte
What might be the problem?
The problem was that the developer inserted the NULL character using SED.
Before -
| rex mode=sed s/'//g | rex "session.radius.last.attr.class is (?<radius>\w+)" | rex mode=sed field=radius "s/([0-9A-Fa-f]{2})/%\1/g" | eval radius=urldecode(substr(radius,3))
After -
| rex "session.radius.last.attr.class is (?<radius>\w+)" | rex mode=sed field=radius "s/([0-9A-Fa-f]{2})/%\1/g" | eval radius=urldecode(substr(radius,3))
Sed works like s/replace-me/with-me/g =
that would replace the string "replace-me" with "with-me". So the top (BEFORE) in the first SED replaced the single quote with nothing (NULL) Character. causing the issue – I didn't realize \w+
would match NULL bytes. But it certainly did.