search

hRun / SA-haveibeenpwned

Splunk add-on providing a custom search command to query Troy Hunt's haveibeenpwned API (https://haveibeenpwned.com/api/v3/) for known breaches of your domains or mail addresses.
https://splunkbase.splunk.com/app/5050/
Apache License 2.0
6 stars 4 forks source link

Error while executing search in Splunk ES #5

Closed spacepatcher closed 2 years ago

spacepatcher commented 2 years ago

Hi!

Please help me with a problem I have faced.

Splunk ES version: v8.2.4

An error occurred while performing a search query:

<skipped>
| table email
| haveibeenpwned mode=mail pastes=all email

The error message in interface:

image

Full error message from index _internal:

source = /opt/splunk/search/splunk/var/log/python_upgrade_readiness_app/pura_utils.log
sourcetype = python_upgrade_readiness_app
2022-02-22 14:49:43,890 ERROR 140591149778752 - [Errno 111] Connection refused
Traceback (most recent call last):
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_utils.py", line 760, in one_shot_str_wrapper
    oneshot_job = service.jobs.oneshot(path)
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunklib/client.py", line 3054, in oneshot
    **params).body
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunklib/client.py", line 821, in post
    return self.service.post(path, owner=owner, app=app, sharing=sharing, **query)
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunklib/binding.py", line 290, in wrapper
    return request_fun(self, *args, **kwargs)
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunklib/binding.py", line 71, in new_f
    val = f(*args, **kwargs)
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunklib/binding.py", line 759, in post
    response = self.http.post(path, all_headers, **query)
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunklib/binding.py", line 1235, in post
    return self.request(url, message)
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunklib/binding.py", line 1252, in request
    response = self.handler(url, message, **kwargs)
  File "/opt/splunk/search/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunklib/binding.py", line 1392, in request
    connection.request(method, path, body, head)
  File "/opt/splunk/search/splunk/lib/python3.7/http/client.py", line 1281, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/opt/splunk/search/splunk/lib/python3.7/http/client.py", line 1327, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/opt/splunk/search/splunk/lib/python3.7/http/client.py", line 1276, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/splunk/search/splunk/lib/python3.7/http/client.py", line 1036, in _send_output
    self.send(msg)
  File "/opt/splunk/search/splunk/lib/python3.7/http/client.py", line 976, in send
    self.connect()
  File "/opt/splunk/search/splunk/lib/python3.7/http/client.py", line 1443, in connect
    super().connect()
  File "/opt/splunk/search/splunk/lib/python3.7/http/client.py", line 948, in connect
    (self.host,self.port), self.timeout, self.source_address)
  File "/opt/splunk/search/splunk/lib/python3.7/socket.py", line 729, in create_connection
    raise err
  File "/opt/splunk/search/splunk/lib/python3.7/socket.py", line 717, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
hRun commented 2 years ago

Hi there,

Thanks for reaching out. Unfortunately I was unable to reproduce the issue. I haven't heard from any of my clients running the add-on on top of ES to have this issue, but will double check. Does this issue occur when running the command from the ES search page only, or on the search from any app? Which version of Python are you running in your Splunk environment (I'm a bit confused by the python_upgrade_readiness_app)?

My thoughts on the error message are that your issue is most likely network related and that either the destination or an intermediate node is denying connection attempts. So could you please double check in the mean time that your search head can reach https://haveibeenpwned.com/api/v3/, that the add-on has the correct proxy configured to do so too, and that there are not firewalls/IPS/... blocking the requests for whatever reason?

Cheers, hRun

spacepatcher commented 2 years ago

I agree that the problem is most likely related to my installation, rather than directly to the plugin.

Due to a lack of ideas, I decided to share the problem with the community in the hope that someone has encountered a similar problem.

Thanks for responding! I will keep trying to solve the problem.