search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Graceful exit when no results returned by search #219

Closed hkelley closed 1 year ago

hkelley commented 1 year ago

In cases where the "inline" mode is used, e.g.

| sendalert misp_alert_create_event

a search that returns no results triggers this error (either in the UI or index=_internal):

ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -    RequestsDependencyWarning)
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -  Traceback (most recent call last):
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -    File "/opt/splunk/etc/apps/misp42splunk/lib/alert_actions_base.py", line 197, in prepare_meta_for_cam
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -      rf = gzip.open(self.results_file, 'rt')
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -    File "/opt/splunk/lib/python3.7/gzip.py", line 58, in open
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -      binary_file = GzipFile(filename, gz_mode, compresslevel)
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -    File "/opt/splunk/lib/python3.7/gzip.py", line 168, in __init__
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -      fileobj = self.myfileobj = builtins.open(filename, mode or 'rb')
Error: [Errno 2] No such file or directory: '/opt/splunk/var/run/splunk/dispatch/1666113733.156328/sendalert_temp_results.csv.gz'
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -  During handling of the above exception, another exception occurred:
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -  Traceback (most recent call last):
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -    File "/opt/splunk/etc/apps/misp42splunk/bin/misp_alert_create_event.py", line 104, in <module>
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -      ).run(sys.argv)
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -    File "/opt/splunk/etc/apps/misp42splunk/lib/alert_actions_base.py", line 217, in run
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -      self.prepare_meta_for_cam()
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -    File "/opt/splunk/etc/apps/misp42splunk/lib/alert_actions_base.py", line 206, in prepare_meta_for_cam
ERROR sendmodalert [4952 phase_1] - action=misp_alert_create_event STDERR -      if rf:
Error: local variable 'rf' referenced before assignment
INFO  sendmodalert [4952 phase_1] - action=misp_alert_create_event - Alert action script completed in duration=460 ms with exit code=1
error code=1
error code 1.
remg427 commented 1 year ago

hello, thank you for report this error comes from the framework itself not from misp42 code. I'll look if framework has been updated