cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
christopherrobe
Splunk Employee
Member since: ‎10-16-2019
‎10-09-2020
Community Statistics
Posts 2
Solutions 1
Karma Given 1
Karma Received 5
Member Since ‎10-16-2019
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Custom streaming search command error

by Splunk Employee in Splunk Dev
‎10-08-2020 01:42 PM
2 Karma
‎10-08-2020 01:42 PM
2 Karma
Awesome!   I also would like to note that you're able to get search.logs from the indexers as well in the job inspector under "Search Job Properties". Towards the bottom, under "Additional Info" there should be a link for each search.log from its respective indexer. ... View more

Re: Custom streaming search command error

by Splunk Employee in Splunk Dev
‎10-08-2020 12:15 PM
3 Karma
‎10-08-2020 12:15 PM
3 Karma
Hi @GindiKhangura ,   I was able to replicate this to my environment, with the app as attached. It worked great on the standalone node, or if i used a non-streaming command in the search before the streaming command (head 1000), but as soon as I streamed it across the indexers, I received the same error.    I was able to look into the search.log from the search on one of the indexers, and found the trace.     10-08-2020 17:53:52.554 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last): 10-08-2020 17:53:52.554 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/var/run/searchpeers/E138C522-1210-4D6F-AD0B-C91FDB3E95D8-1602178084/apps/testapp/bin/condensefields.py", line 7, in <module> 10-08-2020 17:53:52.554 ERROR ChunkedExternProcessor - stderr: from splunklib.searchcommands import \ 10-08-2020 17:53:52.555 ERROR ChunkedExternProcessor - stderr: ImportError: No module named splunklib.searchcommands 10-08-2020 17:53:52.556 ERROR ChunkedExternProcessor - EOF while attempting to read transport header 10-08-2020 17:53:52.556 ERROR ChunkedExternProcessor - Error in 'condensefields' command: External search command exited unexpectedly with non-zero error code 1. 10-08-2020 17:53:52.556 ERROR SearchPipelineExecutor - sid:remote_sh1_1602179632.20_86CF40A2-33DE-4558-8481-6CFF1E8B36D4 Streamed search execute failed because: Error in 'condensefields' command: External search command exited unexpectedly with non-zero error code 1..     Looking at the error "10-08-2020 17:53:52.555 ERROR ChunkedExternProcessor - stderr: ImportError: No module named splunklib.searchcommands". You'll also notice that the app itself is being passed in the knowledge bundle and being ran in /opt/splunk/var/run/searchpeers/E138C522-1210-4D6F-AD0B-C91FDB3E95D8-1602178084/apps/testapp/bin/condensefields.py and NOT /opt/splunk/etc/slave-apps/testapp/bin/condensefields.py I looked into that /var/run/searchpeers/<SH_GUID>-<SID>/apps/testapp/ directory, and /lib/ does not get streamed to the indexer, but /bin does.   To resolve this issue, I moved splunklib from /lib to /bin and removed the syspath for it to point into its own directory.    After this change, the command was able to stream properly. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-09-2020 12:00 AM
Karma from
Karma given to
View All