All Apps and Add-ons

Cisco AMP for Endpoints Events Input app error message on ES Search Head

kishor_pinjark1
Explorer

alt text

Background:
Splunk Enterprise version:
• Search Head – 7.1.3.1
• Indexer – 7.1.3 (Sites=2; 28 Indexers in each site)
• Enterprise Security App – 5.1.1

I did up gradation of app Cisco AMP for Endpoints Events Input from 1.1.2 to 1.1.6 and from then I am getting this ERROR messages.

I tried running script manually:

[@] /opt/splunk/etc/apps/amp4e_events_input/bin $ ./amp4e_events_input.py
./amp4e_events_input.py1: import: not found [No such file or directory]
./amp4e_events_input.py[2]: import: not found [No such file or directory]
./amp4e_events_input.py[3]: import: not found [No such file or directory]
./amp4e_events_input.py[4]: import: not found [No such file or directory]
./amp4e_events_input.py[6]: from: not found [No such file or directory]
./amp4e_events_input.py[8]: from: not found [No such file or directory]
./amp4e_events_input.py[9]: from: not found [No such file or directory]
./amp4e_events_input.py[10]: from: not found [No such file or directory]
./amp4e_events_input.py: line 10: syntax error at line 13: `(' unexpected

Original script:

[@] /opt/splunk/etc/apps/amp4e_events_input/bin $ cat amp4e_events_input.py
import sys
import time
import traceback
import json

from splunklib.modularinput import Argument, Event, Scheme, Script

from amp4e_events_input.amp_storage_wrapper import AmpStorageWrapper
from util.logger import logger
from util.stream_consumer import StreamConsumer

class Amp4eEventsInput(Script):
# name: [description, required_on_create, required_on_edit]
SCHEME_ARGUMENTS = {
'stream_name': ['The event stream name', True, True],
'event_types': ['Enter event type evt_ids for the stream', True, True],
'groups': ['Enter group guids for the stream', False, False],
'api_host': ['AMP for Endpoints API host', True, True],
'api_id': ['3rd Party API Client ID provided by AMP for Endpoints', True, True],
'api_key': ['API secret', True, True],
'event_types_names': ['Event types names', True, True],
'groups_names': ['Groups names', False, False]
}

def get_scheme(self):
    scheme = Scheme('Cisco AMP for Endpoints Events Input')
    scheme.description = 'Allows creating and managing event streams from AMP for Endpoints'
    scheme.use_external_validation = False
    scheme.use_single_instance = False
    self.__add_scheme_arguments(scheme)
    return scheme

# DEPRECATED within app. Use only if necessary
# https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/AdvancedDev/ModInputsValidate
def validate_input(self, validation_definition):
    pass

# Runs once on splunk restart and then gets called every time new input is created
# Checks if the stream needs to be deleted (i.e. user
# deleted it) and performs the deletion via API (?).
# Tries to set up the RabbitMQ connection with credentials from current stream.
# If stream doesn't exist yet, exits.
# Otherwise, fetches all events from queue and writes them to logs.

def stream_events(self, inputs, ew):
for input_name, _ in inputs.inputs.items():
logger.debug('Starting input ' + input_name)
inputs.metadata['name'] = input_name.split('://', 1)[-1]
stream = self.stream_from_inputs(inputs)
connection_data = stream.get('amqp_credentials')
if connection_data is not None:
consumer = StreamConsumer(connection_data,
lambda event: self.
on_event_callback(event, ew,
{'input_name': input_name,
'host': stream.get('api_host'),
'index': stream.get('index')}))
try:
consumer.run()
break # break if we somehow have more than one input here
except Exception as e:
logger.error(traceback.format_exc())
time.sleep(3)
raise e

def __add_scheme_arguments(self, scheme):
    for name, [description, required_on_create, required_on_edit] in self.SCHEME_ARGUMENTS.items():
        scheme.add_argument(Argument(name=name,
                                     data_type=Argument.data_type_string,
                                     description=description,
                                     required_on_create=required_on_create,
                                     required_on_edit=required_on_edit))

def __stream_from_inputs(self, inputs):
    storage = AmpStorageWrapper(inputs.metadata)
   stream = storage.find_stream()
    logger.debug('Found Stream: {}'.format(stream.get('name')))
    # connection_data = stream['amqp_credentials']
    # Change this in development if we have no correct data from API
    # connection_data.update({'host': self.RMQ_HOST, 'port': self.RMQ_PORT})
    return stream

def __on_event_callback(self, event_json, ew, options):
    logger.debug('Received event with input {}'.format(options['input_name']))
    index = options['index'] if options.get('index') is not None else 'main'
    host = options['host'] if options.get('host') is not None else 'Cisco AMP for Endpoints'
    decoded_event = json.loads(event_json)
    # decoded_event['timestamp'] = time.time()  # commented out for real-time events
    event = Event(stanza=options['input_name'], data=json.dumps({'event': decoded_event}), host=host,
                  sourcetype='cisco:amp:event', index=index)
    logger.debug('Publishing event to index {} with host {}...'.format(index, host))
    ew.write_event(event)
    logger.debug('Published.')

if name == "main":
sys.exit(Amp4eEventsInput().run(sys.argv))

0 Karma

samsnguy_cisco
Explorer

Our app does not support being manually run from the command line. It must be configured purely by Splunk. This is why you will get an error when running the python script manually.

## Expected errors when run manually, our app does not support being run outside of splunk
./amp4e_events_input.py: line 1: import: command not found
./amp4e_events_input.py: line 2: import: command not found
./amp4e_events_input.py: line 3: import: command not found
./amp4e_events_input.py: line 4: import: command not found
./amp4e_events_input.py: line 6: from: command not found
./amp4e_events_input.py: line 8: from: command not found
./amp4e_events_input.py: line 9: from: command not found
./amp4e_events_input.py: line 10: from: command not found
./amp4e_events_input.py: line 13: syntax error near unexpected token `('
./amp4e_events_input.py: line 13: `class Amp4eEventsInput(Script):'

The error you are getting from Splunk indicates that our app terminated pre-maturely. To debug further, could you post the most recent log lines from:

$SPLUNK_HOME/var/log/splunk/amp4e_events_input.log

AND

$SPLUNK_HOME/var/log/splunk/splunkd.log

AND

$SPLUNK_HOME/var/log/splunk/python_modular_input.log

Optionally, we've built in diagnostics in our app which will generate a diagnostic file and tar up some useful log files. However, this file may include sensitive information. If you are okay with this, please run:

 splunk login
 splunk diag --collect app:amp4e_events_input

And send the diagnostic file to amp4e_splunk_support@cisco.com with this Splunk answers link as a reference.

0 Karma

kishor_pinjark1
Explorer

I sent diagnosis file to amp4e_splunk_support@cisco.com
Subject of an email: Cisco AMP for Endpoints Events Input app error message on Enterprise Security Splunk Search Head

Please let me know if you need more details.

0 Karma

kishor_pinjark1
Explorer

Thanks man.

Let me check with my Team if I can send those details.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...