https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/583945#M15880 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/205389">@guarisma</a>&nbsp;! How do you resolve this issue?</P> Mon, 07 Feb 2022 13:56:33 GMT DmitriyGolovnya 2022-02-07T13:56:33Z https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/550130#M12212 <P>Our CrowdStrike Add-on stopped pulling logs via the API giving this error</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">2021-05-01 19:03:31,879 ERROR pid=31672 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/ta_crowdstrike_falcon_event_streams/aob_py2/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/crowdstrike_event_streams.py", line 71, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 358, in collect_events crowdstrike_client() File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 234, in crowdstrike_client num_feeds = len(response['resources']) TypeError: object of type 'NoneType' has no len()</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>I can't understand what happened or how to prevent it for happening again.</P><P>Anyone out there with same issue?</P><P>&nbsp;</P> Sun, 02 May 2021 02:12:48 GMT https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/550130#M12212 guarisma 2021-05-02T02:12:48Z https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/583945#M15880 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/205389">@guarisma</a>&nbsp;! How do you resolve this issue?</P> Mon, 07 Feb 2022 13:56:33 GMT https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/583945#M15880 DmitriyGolovnya 2022-02-07T13:56:33Z https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/584123#M15884 <P>No, never got an answer, but we're not using CrowdStrike anymore</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/Crowdstrike-Stream-Stops-Woking/m-p/536216" target="_blank">https://community.splunk.com/t5/Getting-Data-In/Crowdstrike-Stream-Stops-Woking/m-p/536216</A></P> Tue, 08 Feb 2022 14:54:09 GMT https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/584123#M15884 guarisma 2022-02-08T14:54:09Z https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/596427#M16076 <P>Here's a possible explanation for the interruption some folks are seeing.</P><P>We observed the same behavior today with our on-prem Splunk heavy-forwarder not getting events from the <SPAN>CrowdStrike Falcon Event Streams API&nbsp;</SPAN>for the past 7 days.&nbsp;</P><P>We eventually found that the past 7 days of "missing" events were getting pulled into our Splunk Cloud stack where we also had deployed&nbsp;<SPAN>CrowdStrike Falcon Event Streams add-on for Splunk.&nbsp; i.e., we had 2 separate Splunk deployments requesting the same data.&nbsp; It seems that only one API "client" instance would always get the data, and the other left out to dry.</SPAN></P><P>When we disabled the input configured on Splunk Cloud, the Splunk on-prem HF started to get the event stream again, collecting all 7 days of "missing" events as well as new events.</P><P>To enable dual inputs, we plan to configure a separate CrowdStrike API key for the Splunk Cloud stack.</P><P>I hope this helps others who've seen this issue.</P> Wed, 04 May 2022 20:47:18 GMT https://community.splunk.com/t5/Security/CrowdStrike-Add-on-stops-with-Error/m-p/596427#M16076 staten 2022-05-04T20:47:18Z