All Apps and Add-ons

1.1.0 appears not to honor disabled proxy,1.1.0 is not recognizing disabled proxy

davidblizzard
Explorer

Doesn't look like my question posted. The app is configured for message trace logs. When first configured, the app seems to be able to get data. message_trace log puts the entry: 2018-10-12 12:01:44,812 INFO pid=7000 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!

Further attempts fail and the log does not show the Proxy is not enabled entry.

Any ideas?

,I am running Splunk Enterprise 7.1.3 on Windows. I've configured the app to capture the message trace logs. When it runs the first time or two it will ingest the data. When successful, the log entry looks like the below entry. Note that it specifically calls out that "Proxy is not enabled!"
2018-10-12 12:01:07,232 INFO pid=7000 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-10-12 12:01:16,811 INFO pid=7000 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-10-12 12:01:31,555 INFO pid=7000 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-10-12 12:01:44,779 INFO pid=7000 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2018-10-12 12:01:44,780 INFO pid=7000 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2018-10-12 12:01:44,782 INFO pid=7000 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-10-12 12:01:44,812 INFO pid=7000 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!

The log for an unsuccessful run looks like below. The Proxy is not enabled does not exist and the app is unable to get data.

2018-10-12 12:06:02,888 INFO pid=9192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-10-12 12:06:06,944 INFO pid=9192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-10-12 12:06:14,022 INFO pid=9192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-10-12 12:06:21,098 INFO pid=9192 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2018-10-12 12:06:21,098 INFO pid=9192 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2018-10-12 12:06:21,099 INFO pid=9192 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1

On occasion if I change the configuration it will be successful with the same logging, but that is not consistent. I have spent quite a bit of time on this and not sure where to go.

The ta_ms_o365_reporting_settings.conf file looks like this: [proxy][logging]

Any help would be appreciated.

0 Karma

jconger
Splunk Employee
Splunk Employee

The proxy verbiage may be a red herring. Try setting the log level to debug either through the add-on's UI or in ta_ms_o365_reporting_settings.conf like so:

[logging]
loglevel = DEBUG

Then try this search:

index=_internal source="*ta_ms_o365_reporting_ms_o365_message_trace*" earliest=-7d latest=now file=base_modinput.py*
0 Karma

davidblizzard
Explorer

Once I added a new input, this has been resolved. Thank you.

0 Karma

davidblizzard
Explorer

I finally got around to working on this. It looks like you were right about the message.

I now have logging set to debug and I get this message now:

2018-10-17 11:53:20,088 DEBUG pid=6244 tid=MainThread file=base_modinput.py:log_debug:286 | Start date: 2018-10-17 16:20:41, End date: 2018-10-17 17:20:41
2018-10-17 11:53:20,089 DEBUG pid=6244 tid=MainThread file=base_modinput.py:log_debug:286 | end_date is greater than the specified delay throttle [start_date=2018-10-17 16:20:41 end_date=2018-10-17 17:20:41 utc_now=2018-10-17 16:53:20.090000] Skipping...

Interval is set to 300
Query window size 60
Delay throttle 90

After researching this response, it appears others are having a similar issue but I see no resolution.

Recommendations?

Thanks

0 Karma

jconger
Splunk Employee
Splunk Employee
  • That message indicates the input ran at 2018-10-17 16:53:20.090000 UTC.
  • The start date used for the query was 2018-10-17 16:20:41.
  • Since your query window size is 60 minutes, the end date used was 2018-10-17 17:20:41 (start date + 60 minutes)
  • The input will skip this query if the end date + 90 minutes (your delay throttle) is greater than the time the input runs.
  • So 2018-10-17 17:20:41 + 90 minutes = 2018-10-17 18:50:41 which is greater than 2018-10-17 16:53:20.090000.
  • Your Interval is 300 seconds (5 minutes). So, the next time the input runs at 2018-10-17 16:58:20 UTC, it will skip again and continue to skip until the run time is greater than 2018-10-17 18:50:41.

Here is a picture that may help illustrate the above:

alt text

0 Karma

davidblizzard
Explorer

Thank you for the reply. I have downgraded the app to get everything functional. I will upgrade to the latest and start here.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...