All Apps and Add-ons

Cisco AMP for Endpoints Events Input app error message on ES Search Head


alt text

Splunk Enterprise version:
• Search Head –
• Indexer – 7.1.3 (Sites=2; 28 Indexers in each site)
• Enterprise Security App – 5.1.1

I did up gradation of app Cisco AMP for Endpoints Events Input from 1.1.2 to 1.1.6 and from then I am getting this ERROR messages.

I tried running script manually:

[@] /opt/splunk/etc/apps/amp4e_events_input/bin $ ./
./amp4e_events_input.py1: import: not found [No such file or directory]
./[2]: import: not found [No such file or directory]
./[3]: import: not found [No such file or directory]
./[4]: import: not found [No such file or directory]
./[6]: from: not found [No such file or directory]
./[8]: from: not found [No such file or directory]
./[9]: from: not found [No such file or directory]
./[10]: from: not found [No such file or directory]
./ line 10: syntax error at line 13: `(' unexpected

Original script:

[@] /opt/splunk/etc/apps/amp4e_events_input/bin $ cat
import sys
import time
import traceback
import json

from splunklib.modularinput import Argument, Event, Scheme, Script

from amp4e_events_input.amp_storage_wrapper import AmpStorageWrapper
from util.logger import logger
from util.stream_consumer import StreamConsumer

class Amp4eEventsInput(Script):
# name: [description, required_on_create, required_on_edit]
'stream_name': ['The event stream name', True, True],
'event_types': ['Enter event type evt_ids for the stream', True, True],
'groups': ['Enter group guids for the stream', False, False],
'api_host': ['AMP for Endpoints API host', True, True],
'api_id': ['3rd Party API Client ID provided by AMP for Endpoints', True, True],
'api_key': ['API secret', True, True],
'event_types_names': ['Event types names', True, True],
'groups_names': ['Groups names', False, False]

def get_scheme(self):
    scheme = Scheme('Cisco AMP for Endpoints Events Input')
    scheme.description = 'Allows creating and managing event streams from AMP for Endpoints'
    scheme.use_external_validation = False
    scheme.use_single_instance = False
    return scheme

# DEPRECATED within app. Use only if necessary
def validate_input(self, validation_definition):

# Runs once on splunk restart and then gets called every time new input is created
# Checks if the stream needs to be deleted (i.e. user
# deleted it) and performs the deletion via API (?).
# Tries to set up the RabbitMQ connection with credentials from current stream.
# If stream doesn't exist yet, exits.
# Otherwise, fetches all events from queue and writes them to logs.

def stream_events(self, inputs, ew):
for input_name, _ in inputs.inputs.items():
logger.debug('Starting input ' + input_name)
inputs.metadata['name'] = input_name.split('://', 1)[-1]
stream = self.stream_from_inputs(inputs)
connection_data = stream.get('amqp_credentials')
if connection_data is not None:
consumer = StreamConsumer(connection_data,
lambda event: self.
on_event_callback(event, ew,
{'input_name': input_name,
'host': stream.get('api_host'),
'index': stream.get('index')}))
break # break if we somehow have more than one input here
except Exception as e:
raise e

def __add_scheme_arguments(self, scheme):
    for name, [description, required_on_create, required_on_edit] in self.SCHEME_ARGUMENTS.items():

def __stream_from_inputs(self, inputs):
    storage = AmpStorageWrapper(inputs.metadata)
   stream = storage.find_stream()
    logger.debug('Found Stream: {}'.format(stream.get('name')))
    # connection_data = stream['amqp_credentials']
    # Change this in development if we have no correct data from API
    # connection_data.update({'host': self.RMQ_HOST, 'port': self.RMQ_PORT})
    return stream

def __on_event_callback(self, event_json, ew, options):
    logger.debug('Received event with input {}'.format(options['input_name']))
    index = options['index'] if options.get('index') is not None else 'main'
    host = options['host'] if options.get('host') is not None else 'Cisco AMP for Endpoints'
    decoded_event = json.loads(event_json)
    # decoded_event['timestamp'] = time.time()  # commented out for real-time events
    event = Event(stanza=options['input_name'], data=json.dumps({'event': decoded_event}), host=host,
                  sourcetype='cisco:amp:event', index=index)
    logger.debug('Publishing event to index {} with host {}...'.format(index, host))

if name == "main":

0 Karma


Our app does not support being manually run from the command line. It must be configured purely by Splunk. This is why you will get an error when running the python script manually.

## Expected errors when run manually, our app does not support being run outside of splunk
./ line 1: import: command not found
./ line 2: import: command not found
./ line 3: import: command not found
./ line 4: import: command not found
./ line 6: from: command not found
./ line 8: from: command not found
./ line 9: from: command not found
./ line 10: from: command not found
./ line 13: syntax error near unexpected token `('
./ line 13: `class Amp4eEventsInput(Script):'

The error you are getting from Splunk indicates that our app terminated pre-maturely. To debug further, could you post the most recent log lines from:






Optionally, we've built in diagnostics in our app which will generate a diagnostic file and tar up some useful log files. However, this file may include sensitive information. If you are okay with this, please run:

 splunk login
 splunk diag --collect app:amp4e_events_input

And send the diagnostic file to with this Splunk answers link as a reference.

0 Karma


I sent diagnosis file to
Subject of an email: Cisco AMP for Endpoints Events Input app error message on Enterprise Security Splunk Search Head

Please let me know if you need more details.

0 Karma


Thanks man.

Let me check with my Team if I can send those details.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...

Observability Cloud | AWS PrivateLink Enabled for Splunk Observability Cloud

We’ve enabled AWS PrivateLink for Observability Cloud, giving you an additional inbound connection to send ...

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...