https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39207#M5624 <P><a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/85970">@hukel</a>&nbsp;- could you please share the full error stack trace?</P> Sun, 06 Aug 2023 21:51:29 GMT shan_chandra 2023-08-06T21:51:29Z https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39199#M5623 <P>Is anyone else using the new v1.2 of the&nbsp;<A href="https://splunkbase.splunk.com/app/5416" target="_blank" rel="noopener">Databricks Add-on for Splunk</A>&nbsp;?&nbsp; &nbsp;We upgraded to 1.2 and now get this error for all queries.</P><PRE>Running process: /opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-Databricks/bin/databricksquery.py Error in 'databricksquery' command: External search command exited unexpectedly with non-zero error code 1.</PRE><P>I've opened an issue here&nbsp;<A href="https://github.com/databrickslabs/splunk-integration/issues/42" target="_self">https://github.com/databrickslabs/splunk-integration/issues/42</A>&nbsp;but haven't gotten a follow-up.&nbsp;&nbsp;</P><P>Is anyone else using this add-on successfully with v1.2?</P> Sun, 06 Aug 2023 13:07:00 GMT https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39199#M5623 hukel 2023-08-06T13:07:00Z https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39207#M5624 <P><a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/85970">@hukel</a>&nbsp;- could you please share the full error stack trace?</P> Sun, 06 Aug 2023 21:51:29 GMT https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39207#M5624 shan_chandra 2023-08-06T21:51:29Z https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39275#M5625 <P>I can't see the python stack trace because the TA doesn't output it to a Splunk-logged location (that I can find).&nbsp; &nbsp; The search.log output is all I can see (pasted below).<BR /><BR /></P><LI-CODE lang="markup">08-07-2023 16:03:05.046 INFO SearchParser [994756 searchOrchestrator] - PARSING: | databricksquery command_timeout=1200 query="\n \n SELECT ImageFileName, _time, *\n FROM silver.ProcessRollup2 \n\n WHERE event_date BETWEEN '2023-08-07' AND '2023-08-07'\n AND _time &gt;= 1691409780.000 AND _time &lt;= 1691424183.000\n AND (\n LOWER(ImageFileName) LIKE '\\\\\\\\device\\\\\\\\harddiskvolume%\\\\\\\\\agentexecutor.exe'\n )\n ORDER BY _time DESC \n\n LIMIT 1 " 08-07-2023 16:03:05.047 INFO ServerConfig [994756 searchOrchestrator] - Will add app jailing prefix /opt/splunk/bin/nsjail-wrapper for TA-Databricks 08-07-2023 16:03:05.047 INFO ChunkedExternProcessor [994756 searchOrchestrator] - Running process: /opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-Databricks/bin/databricksquery.py 08-07-2023 16:03:05.747 INFO ChunkedExternProcessor [994756 searchOrchestrator] - Custom search command is a generating command. 08-07-2023 16:03:05.747 WARN ChunkedExternProcessor [994756 searchOrchestrator] - Error adding inspector message: invalid level or message already exists 08-07-2023 16:03:05.747 INFO SearchPipeline [994756 searchOrchestrator] - ReportSearch=0 AllowBatchMode=0 08-07-2023 16:03:05.747 INFO SearchPhaseGenerator [994756 searchOrchestrator] - No need for RTWindowProcessor 08-07-2023 16:03:05.747 INFO SearchPhaseGenerator [994756 searchOrchestrator] - Adding timeliner to final phase 08-07-2023 16:03:05.747 INFO SearchParser [994756 searchOrchestrator] - PARSING: | timeliner remote=0 partial_commits=0 max_events_per_bucket=10000 fieldstats_update_maxperiod=60 bucket=0 extra_field=* 08-07-2023 16:03:05.747 INFO TimelineCreator [994756 searchOrchestrator] - Creating timeline with remote=0 partialCommits=0 commitFreq=0 syncKSFreq=0 maxSyncKSPeriodTime=60000 bucket=0 latestTime=1691424183.000000 earliestTime=1691409780.000000 08-07-2023 16:03:05.747 INFO SearchPhaseGenerator [994756 searchOrchestrator] - required fields list to add to different pipelines = *,_bkt,_cd,_si,host,index,linecount,source,sourcetype,splunk_server 08-07-2023 16:03:05.747 INFO SearchPhaseGenerator [994756 searchOrchestrator] - Search Phases created. 08-07-2023 16:03:05.749 INFO SearchOrchestrator [994756 searchOrchestrator] - Starting the status control thread. 08-07-2023 16:03:05.749 INFO SearchOrchestrator [994756 searchOrchestrator] - Starting phase=1 08-07-2023 16:03:05.749 INFO ReducePhaseExecutor [994794 phase_1] - Starting phase_1 08-07-2023 16:03:05.749 INFO SearchStatusEnforcer [994787 StatusEnforcerThread] - Enforcing disk quota = 10485760000 08-07-2023 16:03:05.805 ERROR ChunkedExternProcessor [994794 phase_1] - EOF while attempting to read transport header read_size=0 08-07-2023 16:03:05.805 ERROR ChunkedExternProcessor [994794 phase_1] - Error in 'databricksquery' command: External search command exited unexpectedly with non-zero error code 1. 08-07-2023 16:03:05.805 INFO ReducePhaseExecutor [994794 phase_1] - Ending phase_1</LI-CODE> Mon, 07 Aug 2023 16:08:33 GMT https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39275#M5625 hukel 2023-08-07T16:08:33Z https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39276#M5626 <P><a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/85970">@hukel</a>&nbsp;-&nbsp; Does the below query runs fine in an isolated notebook?</P><PRE>SELECT ImageFileName, _time, *\n FROM silver.ProcessRollup2 \n\n WHERE event_date BETWEEN '2023-08-07' AND '2023-08-07'\n AND _time &gt;= 1691409780.000 AND _time &lt;= 1691424183.000\n AND (\n LOWER(ImageFileName) LIKE '\\\\\\\\device\\\\\\\\harddiskvolume%\\\\\\\\\agentexecutor.exe'\n )\n ORDER BY _time DESC \n\n LIMIT 1 </PRE><P>&nbsp;</P> Mon, 07 Aug 2023 16:17:41 GMT https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39276#M5626 shan_chandra 2023-08-07T16:17:41Z https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39280#M5627 <P>Yes,&nbsp; this is a test query that I always use.&nbsp; It has only stopped working after the 1.2 upgrade.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hukel_0-1691425884567.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/3083i4708713B8B23D975/image-size/medium?v=v2&amp;px=400" role="button" title="hukel_0-1691425884567.png" alt="hukel_0-1691425884567.png" /></span></P><P>&nbsp;</P> Mon, 07 Aug 2023 16:31:35 GMT https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39280#M5627 hukel 2023-08-07T16:31:35Z https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39464#M5628 <P>There is a new mandatory parameter for <STRONG>databricksquery</STRONG> called <STRONG>account_name</STRONG>.&nbsp; &nbsp; This breaking change is not documented in Splunkbase release notes but it does appear in the docs within the Splunk app.</P><P>&nbsp;</P><DIV class=""><PRE>databricksquery cluster="&lt;cluster_name&gt;" query="&lt;SQL_query&gt;" command_timeout=&lt;timeout_in_seconds&gt; account_name="&lt;account_name&gt;"</PRE><P>&nbsp;</P></DIV> Wed, 09 Aug 2023 17:15:01 GMT https://community.databricks.com/t5/get-started-discussions/databricks-add-on-for-splunk-v1-2-error-in-databricksquery/m-p/39464#M5628 hukel 2023-08-09T17:15:01Z