We've had some custom commands defined on our indexers for years. Here is /opt/splunk/etc/apps/whirlpool_netbotz/default/commands.conf:
[netbotzreport]
filename = netbotzreport.py
enableheader = true
outputheader = true
requires_srinfo = true
stderr_dest = message
supports_getinfo = true
supports_rawargs = true
supports_multivalues = true
local = true
streaming = true
# this should not be necessary
overrides_timeorder = true
required_fields=mib,oid,snmp_index,value
[netbotzextract]
filename = netbotzextract.py
enableheader = true
outputheader = true
requires_srinfo = true
stderr_dest = message
supports_getinfo = true
supports_rawargs = true
supports_multivalues = true
local = true
streaming = true
# this should not be necessary
overrides_timeorder = true
[pipesniff]
filename = pipesniff.py
enableheader = true
outputheader = true
requires_srinfo = true
stderr_dest = message
supports_getinfo = true
supports_rawargs = true
supports_multivalues = true
local = true
streaming = true
Sometime in the last month, searches using these commands have started failing with these messages from the indexers:
[awnulsplunkp1] Search Factory: Unknown search command 'netbotzextract'.
We did a 6.5 -> 7.0 last week, which I suspect is what changed.
Why are the indexers trying to execute these command if they are defined as 'local = true'?
↧