All Apps and Add-ons

Can you help me with the following authentication error with AWS Trusted Advisor Plugin (Splunk Enterprise 7.1.3)?

adamhobbs_sti
Explorer

I'm running into an authentication issue right after I add a new input to the plugin (see below).

Running Enterprise 7.1.3 on RHEL 7.5

Steps - Install the plugin via GUI, restart Splunk via GUI, disable the default inputs (8x nhsd*), and add a new input. I've tried using an Access&Secret key, an assume role ARN and a IAM role for the instance — all generate the same error (see above).

(Error message from splunkd.log)

*10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py" Traceback (most recent call last):
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py"   File "/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/ta_aws_trusted_advisor/modinput_wrapper/base_modinput.py", line 127, in stream_events
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py"     self.collect_events(ew)
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py"   File "/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py", line 72, in collect_events
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py"     input_module.collect_events(self, ew)
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py"   File "/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/input_module_aws_trusted_advisor.py", line 267, in collect_events
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py"     client = authenticate(helper)
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py"   File "/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/input_module_aws_trusted_advisor.py", line 119, in authenticate
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py"     aws_access_key_id=access_key_id,
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py" UnboundLocalError: local variable 'access_key_id' referenced before assignment
10-02-2018 00:00:00.001 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/aws_trusted_advisor.py" ERRORlocal variable 'access_key_id' referenced before assignment*

Any thoughts? Thanks in advance

0 Karma

shwetas
Explorer

HI All,

I am getting below error post Aws trusted agrregrator configuration Did any one else also face same issue? how to fix

:/opt/splunk/var/log/splunk# tail ta_aws_trusted_advisor_aws_trusted_advisor.log
File "/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/botocore/hooks.py", line 210, in _emit
response = handler(**kwargs)
File "/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/botocore/signers.py", line 90, in handler
return self.sign(operation_name, request)
File "/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/botocore/signers.py", line 156, in sign
auth.add_auth(request)
File "/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/botocore/auth.py", line 352, in add_auth
raise NoCredentialsError
NoCredentialsError: Unable to locate credentials

0 Karma

shwetas
Explorer

Can anyone help me to udnerstand how to dump data to trusted_advisor_checks.csv file for lookup.In my case there is no data available udner trusted_advisor_checks.csv

0 Karma

livehybrid
SplunkTrust
SplunkTrust

This application has now been updated to resolve this issue.

0 Karma

seancruikshanki
Explorer

Same issue here, error message below:

UnboundLocalError: local variable 'access_key_id' referenced before assignment

Any updates around this? I attempted to make the variables global but this made the inputs web page break.

livehybrid
SplunkTrust
SplunkTrust

Hi,
I've just uploaded a new version of the app (1.0.3) which should be available shortly.
Please do get in touch directly if there are any issues that I can help with, contact details are on the App page on Splunkbase!
Cheers

0 Karma

cfattori
New Member

Same problem Here!
Thanks.
Caio

0 Karma

lexius011
New Member

Same issue...

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Apologies in the delay getting back to you on this...did you manage to get this working? I havent been able to replicate the above error...
Thanks
Will

0 Karma

adamhobbs_sti
Explorer

Will -

The proposed code worked as I am past that error, but I'm encountering two new issues (they are probably related). I was getting a truncate length error, but I was able to resolve this by mod'ing the plugin props.conf file (TRUNCATE = 175000). The plugin now pulls data for the first input (I had to mod the dashboard templates because of index naming, but this is a non-issue).

When I attempt to add a 2nd or 3rd input, I get the following errors in the log -

2018-10-08 19:30:34,728 WARNING pid=81170 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 19:50:34,683 WARNING pid=92805 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 20:10:34,947 WARNING pid=106592 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 20:30:34,634 WARNING pid=119048 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 20:50:34,668 WARNING pid=571 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 21:10:34,777 WARNING pid=13451 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 21:30:34,792 WARNING pid=26452 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 21:50:34,671 WARNING pid=39096 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 22:10:34,920 WARNING pid=52040 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 22:30:34,925 WARNING pid=64241 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 22:50:34,833 WARNING pid=76296 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 23:10:47,972 WARNING pid=90005 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 23:30:39,522 WARNING pid=102299 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE
2018-10-08 23:50:49,920 WARNING pid=115220 tid=MainThread file=base_modinput.py:log_warning:300 | scrub_INPUT-NAME-HERE

I've swapped the plugin log mode to 'debug' to see if there is any more information to glean; any thoughts?

Thanks,
-Adam

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Sorry about the delay getting back to you on this.
Looks like a typo that I missed. Can you try replacing your file:
/opt/splunk/etc/apps/TA-aws-trusted-advisor/bin/input_module_aws_trusted_advisor.py
with this: https://pastebin.com/UheNeDDz
Give it a restart/toggle on/off and see if it works? Let me know how it goes so I can update the app on Splunkbase!
Thanks
Will

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi,
I’ll look into this and get back to you tomorrow (currently at Splunk Conf!)
I’ll also remove the default inputs from the next version of the app.
Thanks
Will (Author)

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...