sqlite3.OperationalError: near "ON": syntax error

[RukhsarRiazKhan]

When applying helloworld.hf file as a parameter to kestrel via cli, the following error message appears:

[docker@docker ~]$ kestrel helloworld.hf --debug
16:19:00 DEBUG kestrel.session Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:True
16:19:00 DEBUG kestrel.session Configuration file /kestrel/kestrel.toml does not exist.
16:19:00 DEBUG kestrel.session Configuration file etc/kestrel/kestrel.toml does not exist.
16:19:00 DEBUG kestrel.session Configuration file /home/docker/.local/etc/kestrel/kestrel.toml loaded successfully.
16:19:00 DEBUG kestrel.session Configuration file /home/docker/.config/kestrel/kestrel.toml does not exist.
16:19:00 DEBUG kestrel.session Configuration loaded: {'session': {'local_database_path': 'local.db', 'debug_env_var_name': 'KESTREL_DEBUG'}, 'language': {'default_variable': '_', 'default_sort_order': 'desc'}, 'stixquery': {'timerange_start_offset': -300, 'timerange_stop_offset': 300, 'support_id': False}, 'prefetch': {'get': True, 'find': True, 'process_name_change_timerange_start_offset': -5, 'process_name_change_timerange_stop_offset': 5, 'process_lifespan_start_offset': -10800, 'process_lifespan_stop_offset': 10800}}
16:19:00 DEBUG kestrel.session create new session runtime_directory: /tmp/kestrel-session-212ddaa5-c492-41c7-8c1c-0639a1eb82cd.
16:19:00 DEBUG firepit.sqlitestorage Connection to SQLite DB /tmp/kestrel-session-212ddaa5-c492-41c7-8c1c-0639a1eb82cd/local.db successful
16:19:00 DEBUG firepit.sqlitestorage Executing query: CREATE TABLE IF NOT EXISTS "__symtable" (name TEXT, type TEXT, appdata TEXT);
16:19:00 DEBUG firepit.sqlitestorage Executing query: CREATE TABLE IF NOT EXISTS "__membership" (sco_id TEXT, var TEXT);
16:19:00 DEBUG firepit.sqlitestorage Executing query: CREATE TABLE IF NOT EXISTS "__queries" (sco_id TEXT, query_id TEXT);
16:19:01 DEBUG kestrel.codegen.commands Executing 'new' with statement: {'command': 'new', 'type': 'process', 'data': '[ {"name": "cmd.exe", "pid": "123"}\n , {"name": "explorer.exe", "pid": "99"}\n , {"name": "firefox.exe", "pid": "201"}\n , {"name": "chrome.exe", "pid": "205"}\n ]', 'output': 'proclist'}
16:19:01 DEBUG firepit.splitter _create_table: "CREATE TABLE "process" ("name" TEXT,"pid" TEXT,"type" TEXT,"id" TEXT UNIQUE);"
16:19:01 DEBUG firepit.sqlitestorage Executing query: CREATE TABLE "process" ("name" TEXT,"pid" TEXT,"type" TEXT,"id" TEXT UNIQUE);
16:19:01 DEBUG firepit.sqlitestorage Executing query: CREATE INDEX "process_id" ON "process" ("id");
16:19:01 DEBUG firepit.sqlstorage _upsert: "INSERT INTO "process" ("name", "pid", "type", "id") VALUES (?, ?, ?, ?) ON CONFLICT (id) DO UPDATE SET "name" = EXCLUDED."name", "pid" = EXCLUDED."pid", "type" = EXCLUDED."type";"
Traceback (most recent call last):
File "/home/docker/.local/bin/kestrel", line 8, in
runpy.run_module('kestrel', run_name='main')
File "/usr/lib64/python3.6/runpy.py", line 208, in run_module
return _run_code(code, {}, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/home/docker/.local/lib/python3.6/site-packages/kestrel/main.py", line 49, in
outputs = session.execute(huntflow)
File "/home/docker/.local/lib/python3.6/site-packages/kestrel/session.py", line 262, in execute
return self._execute_ast(ast)
File "/home/docker/.local/lib/python3.6/site-packages/kestrel/session.py", line 437, in _execute_ast
output_var_struct, display = execute_cmd(stmt, self)
File "/home/docker/.local/lib/python3.6/site-packages/kestrel/codegen/commands.py", line 92, in wrapper
return func(stmt, session)
File "/home/docker/.local/lib/python3.6/site-packages/kestrel/codegen/commands.py", line 60, in wrapper
ret = func(stmt, session)
File "/home/docker/.local/lib/python3.6/site-packages/kestrel/codegen/commands.py", line 123, in new
stmt["type"] = load_data(session.store, stmt["output"], stmt["data"], stmt["type"])
File "/home/docker/.local/lib/python3.6/site-packages/kestrel/codegen/data.py", line 30, in load_data
store.load(output_entity_table, data, entity_type, query_id)
File "/home/docker/.local/lib/python3.6/site-packages/firepit/sqlstorage.py", line 294, in load
splitter.close()
File "/home/docker/.local/lib/python3.6/site-packages/firepit/splitter.py", line 228, in close
self.writer.write_records(obj_type, recs, self.schemas[obj_type], self.replace, self.query_id)
File "/home/docker/.local/lib/python3.6/site-packages/firepit/splitter.py", line 153, in write_records
self.store.upsert(cursor, tablename, obj, query_id)
File "/home/docker/.local/lib/python3.6/site-packages/firepit/sqlstorage.py", line 224, in upsert
cursor.execute(stmt, values)
sqlite3.OperationalError: near "ON": syntax error
16:19:01 DEBUG firepit.sqlitestorage Closing SQLite DB connection

[pcoccoli]

What version of sqlite3 do you have? The conflict clause was added in 3.24.0 according to https://sqlite.org/lang_conflict.html

[RukhsarRiazKhan]

Prblem fixed. Thanks!