All Apps and Add-ons

Error using Protocol Data Inputs app

ClicktaleChris
New Member

I found your Splunk Add-on that supports websockets and thought it would work great for a side project I am working on.

I could not find any configuration doc, so I started guessing and looks like I needed to update /Applications/Splunk/etc/apps/protocol_ta/README/inputs.conf.spec based on messages in the log. I am still getting the following error and hope this is just an oversight on my end.

I have pasted the updated inputs.conf.spec for your review and the errors in the log. There were a few articles on the answers site, but note of them resolved the issue.

I also do not see configuration options in DataInput and assume this is due to the error at startup (this based on the content in protocol_manager.xml)

Log Snipit:
12-06-2017 15:39:11.459 -0500 INFO SpecFiles - Found external scheme definition for stanza "powershell2://" with 2 parameters: script, schedule
12-06-2017 15:39:11.459 -0500 INFO SpecFiles - Found external scheme definition for stanza "powershell://" with 2 parameters: script, schedule
12-06-2017 15:39:11.459 -0500 INFO SpecFiles - Found external scheme definition for stanza "protocol://" with 27 parameters: protocol, port, bind_address, use_ssl, tcp_nodelay, receive_buffer_size, tcp_keepalive, so_linger, keystore_pass, keystore_path, truststore_pass, truststore_path, client_auth_required, ip_version, is_multicast, udp_receive_buffer_size, set_broadcast, multicast_group, multicast_ttl, set_multicast_loopback_mode, session_timeout, heartbeat_period, app_name, output_type, server_verticle_instances, handler_verticle_instances, output_verticle_instances
12-06-2017 15:39:11.460 -0500 INFO SpecFiles - Found external scheme definition for stanza "splunktcptoken://" with 1 parameters: token
12-06-2017 15:39:14.412 -0500 ERROR ModularInputs - Introspecting scheme=protocol: script running failed (exited with code 1).
12-06-2017 15:39:14.412 -0500 ERROR ModularInputs - Unable to initialize modular input "protocol" defined inside the app "protocol_ta": Introspecting scheme=protocol: script running failed (exited with code 1).

12-06-2017 15:39:14.429 -0500 INFO DS_DC_Common - Initializing the PubSub system.
12-06-2017 15:39:14.429 -0500 INFO DS_DC_Common - Initializing core facilities of PubSub system.

Any help is greatly appreciated.

File:

[protocol://websocket]

*------------
*General settings
*------------

*protocol to use  , one of  [tcp , udp, http, websocket , sockjs]
protocol=websocket

*network port to open.For ports < 1024 , you'll need to be running with root permissions.
port=9000

*network interface address to bind to , IP or hostname , defaults to 0.0.0.0 (listen on all interfaces)
bind_address=0.0.0.0

*whether or not (0,1) to use SSL for TCP or HTTP
use_ssl=0

*------------
*TCP settings
*------------

*whether or not (0,1) to enable TCP No Delay
tcp_nodelay=1

*buffer size (number)
receive_buffer_size=9000

*whether or not (0,1) to enable TCP Keep Alive
tcp_keepalive=1

*SO Linger time in seconds.Using a negative value will disable it.
so_linger=5

*-------------------------------------------------------------------------------
*SSL settings (uses your own Java Keystore , NOT Splunk's internal Certificates)
*Refer to http://vertx.io/core_manual_java.html#ssl-servers
*-------------------------------------------------------------------------------

*Java Keystore password
keystore_pass=password

*Java Keystore path
keystore_path=/

*Java Truststore password
truststore_pass=password

*Java Truststore path
truststore_path=/

*whether or not (0,1) client authentication is required
client_auth_required=0

*------------
*UDP settings
*------------

*v4 or v6
ip_version=v4

*whether or not (0,1) this UDP socket is also multicast
is_multicast=0

*buffer size (number)
udp_receive_buffer_size=9000

*whether or not (0,1) to set broadcast mode
set_broadcast=0

*IP address pattern of the network interface
multicast_group=0.0.0.0

*time to live (number)
multicast_ttl=900

*whether or not (0,1) to set multicast loopback mode
set_multicast_loopback_mode=0

*---------------
*SockJS Settings
*---------------

*session timeout (number)
session_timeout=900

*heartbeat period (number)
heartbeat_period=10

*application name. Defaults to "splunk" , so the URI would be http://somehost/splunk
app_name=splunk

*---------------
*Custom Data Handler
*---------------

*custom data handler name (a vertx polyglot verticle that you've placed in the protocol_ta/bin/datahandlers directory)
**handler_verticle = <value>

*A JSON Config String to pass to the handler, example :  {"foo":"1","zoo":"goo"}
**handler_config = <value>

*------------
*Data Output
*------------

* One of [stdout | tcp | hec ]. Defaults to stdout.
output_type = stdout

* For tcp output.
**output_port = <value>

* For hec(HTTP Event Collector) output
**hec_port = <value>
* Defaults to 1
**hec_poolsize = <value>
**hec_token = <value>
* 1 | 0
**hec_https = <value>
# 1 | 0
**hec_batch_mode = <value>
# numeric value
**hec_max_batch_size_bytes = <value>
# numeric value
**hec_max_batch_size_events = <value>
#in milliseconds
**hec_max_inactive_time_before_batch_flush = <value>


*---------------------
*JVM System Properties
*---------------------

*additional JVM properties , these will get applied JVM wide , so be judicious in use
**additional_jvm_propertys = <value>

*-------------------------------
*Performance Tuning and Scaling
*-------------------------------

*You can increase the number of instances to utilise more cores on your server

*defaults to 1 , refer to http://vertx.io/core_manual_java.html#specifying-number-of-instances
server_verticle_instances = 1

*defaults to 1 , refer to http://vertx.io/core_manual_java.html#specifying-number-of-instances
handler_verticle_instances = 1

*defaults to 1 , refer to http://vertx.io/core_manual_java.html#specifying-number-of-instances
output_verticle_instances = 1

* Refer to http://vertx.io/manual.html#improving-connection-time
**accept_backlog = <value>
0 Karma

Damien_Dallimor
Ultra Champion
so I started guessing and looks like I needed to update /Applications/Splunk/etc/apps/protocol_ta/README/inputs.conf.spec based on messages in the log

You guessed wrong , you absolutely should NOT change that file.Ever.

When you setup a stanza via the UI , stanzas get written to local/inputs.conf for you.

12-06-2017 15:39:14.412 -0500 ERROR ModularInputs - Introspecting scheme=protocol: script running failed (exited with code 1).
12-06-2017 15:39:14.412 -0500 ERROR ModularInputs - Unable to initialize modular input "protocol" defined inside the app "protocol_ta": Introspecting scheme=protocol: script running failed (exited with code 1).

The App is not even running and loading , that is why you see no config screen under data inputs.

I'm going to guess you have not followed something in the docs such as correct JRE version and/or a JRE is on the path.

Try reading the Dependencies, Setup and Troubleshooting section in the docs

ClicktaleChris
New Member

Thank you for the quick response.
I restored the inputs.conf.spec file and back-leveled my JRE to 1.7 and it works like a Champ!

Note: requirements of JRE1.7+, but JRE 1.9 causes issue...stick with JRE1.7 and all works well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...