- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Splunk Enterprise Security: Receiving errors "...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security: Receiving errors ""A script exited abnormally" input=".\bin\xxxx.py" stanza="default" status="exited with code 1"". How to resolve?
Hi
I keep receiving this error message from Splunk Enterprise Security (ES) on my custom python application, though the application is running fine.
2017-02-20 17:00:06,348 ERROR pid=8860 tid=MainThread file=configuration_check.py:run:165 | status="completed" task="confcheck_script_errors" message="msg="A script exited abnormally" input=".\bin\xxxx.py" stanza="default" status="exited with code 1""
2017-02-20 17:00:06,404 ERROR pid=8860 tid=MainThread file=configuration_check.py:run:165 | status="completed" task="confcheck_script_errors" message="msg="A script exited abnormally" input=".\bin\yyyyy.py" stanza="default" status="exited with code 1"
anyone encounter this before? What is this error referring too and anyway to resolve/suppress this error?
I have included this in the local/inouts.conf but does not work.
[configuration_check://confcheck_script_errors]
suppress = ((streamfwd|splunk-(wmi.path|MonitorNoHandle.exe|winevtlog.exe|netmon.exe|perfmon.exe|regmon.exe|winprintmon.exe|admon.exe|powershell.exe)).*exited with code 1)
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are picking up that error message because your default stanza for checking scripts considers any non-zero return code (such as 1) to be an error. Your python script is returning a 1, so therefore it MUSt be an error, as far as that stanza is concerned.
Your options are (1) if the script is returning 1 and does not have an error, fix the script to return zero (2) if the script is properly returning a 1 which is not an error, then point the script at something other than the default.
This page is very similar, but his solution was to copy code from an older version you wouldn't have. https://answers.splunk.com/answers/329819/alert-manager-script-exit-status-1.html
On this page, the error was bad indenting on the python script -
https://answers.splunk.com/answers/145246/external-search-command-mypythonfile-returned-error-code-1...
Additional information here - https://answers.splunk.com/answers/99328/why-i-get-error-code-1.html
Here's another case where it was an error in the python code - https://answers.splunk.com/answers/189517/why-am-i-getting-error-code-1-for-my-python-script.html
So, assuming the above survey of prior posts about this is typical, you probably have an error in your python code. If you post it here, maybe we can give you more help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the suggestion. Are you able to elaborate the steps/any example for suggestion #2? What do you mean pointing the script to something other than the default?
(2) if the script is properly returning a 1 which is not an error, then point the script at something other than the default.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the python script.
import re,collections,json,csv,sys,urllib,urllib2
import requests
import shutil,time,os
import splunk.entity as entity
import splunk.Intersplunk
import argparse
def sitereview(url,proxy,port,username,password):
httpproxy = "{0}:{1}@{2}:{3}".format(username,password,proxy,port)
proxy_handler = urllib2.ProxyHandler({'http': httpproxy})
opener = urllib2.build_opener(proxy_handler)
urllib2.install_opener(opener)
baseurl = 'http://xxx/rest/categorization'
query_args = {'url': url}
data = urllib.urlencode(query_args)
headers = {'User-Agent':'Mozilla 5.10'}
request = urllib2.Request(baseurl, data, headers)
response = urllib2.urlopen(request)
json = response.read()
return json
def getCredentials(sessionKey):## added for getting the credentials
myapp = 'abc-app'
try: #list all credentials
entities = entity.getEntities("storage/passwords", namespace = myapp, owner = 'nobody', sessionKey = sessionKey)
except Exception, e:
raise Exception("Could not get %s credentials from splunk. Error: %s" %(myapp, str(e)))
for i, c in entities.items():
return c['username'], c['clear_password']
raise Exception("No credentials have been found")
def main():
databasefile = "localcat.txt"
date = time.strftime("%Y%m%d")
newfile = databasefile +"_"+ date
shutil.copyfile(databasefile, newfile)
os.remove(databasefile)
destination = open(databasefile, "w")
source = open(newfile, "r")
proxy = 'PROXY'
port = '80'
#username = 'USERNAME'
#password = 'PASSWORD'
## added for getting the credential from the sessionkey
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
sessionKey = settings['sessionKey']
if len(sessionKey) == 0:
sys.stderr.write("Did not receive a session key from splunkd.")
sys.exit(0)
username, password = getCredentials(sessionKey)
for line in source:
time.sleep(10)
if 'define category test_Incident' in line:
destination.write(line)
elif 'end' in line:
destination.write(line)
else:
result_json = sitereview(line,proxy,port,username,password)
parsed_json = json.loads(result_json)
unrated = str(parsed_json['unrated'])
if unrated.lower() == 'true':
destination.write(line)
source.close()
destination.close()
main()
Index This | Forward, I’m heavy; backward, I’m not. What am I?
A Guide To Cloud Migration Success
Join Us for Splunk University and Get Your Bootcamp Game On!
