Getinfo probe failed for external search command 'mispsight'

[J1mb0S1ic3]

We have confirmed connectivity of this app to our MISP instance, using command:
| mispcollect misp_instance=Preprod eventid="81" endpoint="events"

We however try to run the command below:
index= src= | regex src=\d+.\d+.\d+.\d+ | mispsight field=src misp_instance=Preprod**

And we get an error:
Streamed search execute failed because: Error in 'script': Getinfo probe failed for external search command 'mispsight'..

Looking in search.log we see the following:
06-27-2023 13:45:54.091 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [SI-101] logging level is set to DEBUG
06-27-2023 13:45:54.091 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [SI-102] PYTHON VERSION: 3.7.16 (default, Mar 22 2023, 01:29:27)
06-27-2023 13:45:54.091 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [GCC 9.2.0]
06-27-2023 13:45:54.091 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': GET request to https://127.0.0.1:8089/servicesNS/nobody/search/misp42splunk_instances (body: {})
06-27-2023 13:45:54.235 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': Operation took 0:00:00.143451
06-27-2023 13:45:54.235 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [MC-PC-D01] response.status=200
06-27-2023 13:45:54.236 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [MC-PC-D02] instance_count=1
06-27-2023 13:45:54.236 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [MC-PC-D03] single instance={'title': 'Preprod', 'id': 'https://127.0.0.1/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'updated': '1970-01-01T00:00:00+00:00', 'link': [{'href': '/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'rel': 'alternate'}, {'href': '/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'rel': 'list'}, {'href': '/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'rel': 'edit'}, {'href': '/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'rel': 'remove'}], 'author': {'name': ''}, 'content': {'disabled': '0', 'eai:acl': {'app': 'misp42splunk', 'can_change_perms': '1', 'can_list': '1', 'can_share_app': '1', 'can_share_global': '1', 'can_share_user': '1', 'can_write': '1', 'modifiable': '1', 'owner': ['](', 'perms': {'read': [''], 'write': ['admin']}, 'removable': '1', 'sharing': 'global'}, 'eai:appName': 'misp42splunk', 'eai:userName': 'nobody', 'misp_key': '*****', 'misp_url': '', 'misp_verifycert': '0', 'type': 'text/xml'}}
06-27-2023 13:45:54.236 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': GET request to https://127.0.0.1:8089/servicesNS/nobody/search/storage/passwords (body: {'count': -1, 'offset': 0})
06-27-2023 13:45:54.249 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': Operation took 0:00:00.012962
06-27-2023 13:45:54.269 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': MispSightCommand.process finished under protocol_version=1

Is there a permissions issue or problem with the jailer that is running our mispsight.py script?

We have reported the same issue to splunk cloud support, will see what they say.

[J1mb0S1ic3]

I just had word from splunk support, they said our search head isnt part of a search head cluster, it's a standalone, and that is the reason for this error? Is anyone able to clarify if this is the case?

[remg427]

Hello thank you for using MISP42 What version do you use and also splunk version? I'll test again on my standalone Best Remi Le 30 juin 2023 11:19:26 GMT+02:00, J1mb0S1ic3 ***@***.***> a écrit :

I just had word from splunk support, they said our search head isnt part of a search head cluster, it's a standalone, and that is the reason for this error? Is anyone able to clarify if this is the case? -- Reply to this email directly or view it on GitHub: #236 (comment) You are receiving this because you are subscribed to this thread. Message ID: ***@***.***>

-- Sent with K-9 Mail.

[J1mb0S1ic3]

Hi, we are on splunk 9 in the cloud and the latest version of the MISP app 4.2.2.

[J1mb0S1ic3]

Hi, has any testing been completed with regards to this being only compatible with a SHC?

[remg427]

mispsight works on standalone search head and also cluster. closing