Why do we get this error when scheduling a search ...

danielbb · ‎05-26-2020

We have a search that runs fine but when we schedule it as a report, we don't get the e-mail and in _internal we see -

05-26-2020 17:10:25.215 -0400 ERROR ScriptRunner - stderr from '/opt/apps/splunk/bin/python /opt/apps/splunk/etc/apps/search/bin/sendemail.py "results_link=https://:8000/app/search/@go?sid=scheduler__myid__search__RMD593055a08ba8cd116_at_1590527400_77786" "ssname=My test" "graceful=True" "trigger_time=1590527424" results_file="/opt/apps/splunk/var/run/splunk/dispatch/scheduler__myid__search__RMD593055a08ba8cd116_at_1590527400_77786/results.csv.gz"':  _csv.Error: line contains NULL byte

What might be the problem?

danielbb · ‎05-27-2020

The problem was that the developer inserted the NULL character using SED.

Before -

| rex mode=sed s/'//g | rex "session.radius.last.attr.class is (?<radius>\w+)" | rex mode=sed field=radius "s/([0-9A-Fa-f]{2})/%\1/g" | eval radius=urldecode(substr(radius,3))

After -

| rex "session.radius.last.attr.class is (?<radius>\w+)" | rex mode=sed field=radius "s/([0-9A-Fa-f]{2})/%\1/g" | eval radius=urldecode(substr(radius,3))

Sed works like s/replace-me/with-me/g = that would replace the string "replace-me" with "with-me". So the top (BEFORE) in the first SED replaced the single quote with nothing (NULL) Character. causing the issue – I didn't realize \w+ would match NULL bytes. But it certainly did.

Why do we get this error when scheduling a search as a report: "line contains NULL byte")?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life