All Apps and Add-ons

Errors in estreamer encore log

ctrol
Engager

Hi

Has anyone came across these errors in the estreamer encore log? We are facing issues getting events from the cisco:estreamer:data sourcetype and wondered if it could be related to it.
Everytime we restart the service or move the bookmark file we get a burst of events then it slows down to a halt, we have upgraded to v3.5.0 but the issue still remains

error: unpack requires a string argument of length 4\nTraceback (most recent call last):\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/baseproc.py", line 111, in _start\n callback()\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/receiver.py", line 159, in next\n self._parseMessageBundle( message )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/receiver.py", line 111, in _parseMessageBundle\n self._send( message )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/receiver.py", line 143, in _send\n self.callback( message )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/pipeline.py", line 388, in onEvent\n event = parse( message, self.settings )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/pipeline.py", line 124, in parse\n parser.parse()\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/adapters/binary.py", line 512, in parse\n self._parse( self.data, self.offset, self.record )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/adapters/binary.py", line 406, in _parse\n offset = self._parseAttributes( data, offset, attributes, record )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/adapters/binary.py", line 394, in _parseAttributes\n offset = self._parseBlock( data, offset, attribute, block )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/adapters/binary.py", line 210, in _parseBlock\n offset = self._parseAttributes( data, offset, blockDefinition, context )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/adapters/binary.py", line 394, in _parseAttributes\n offset = self._parseBlock( data, offset, attribute, block )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/adapters/binary.py", line 210, in _parseBlock\n offset = self._parseAttributes( data, offset, blockDefinition, context )\n File "/apps/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/adapters/binary.py", line 362, in _parseAttributes\n data[ offset : offset + byteLength ] )[ 0 ]\nerror: unpack requires a string argument of length 4\n

Thanks

0 Karma

douglashurd
Builder

The current version 3.5.3 of the TA should fix this issue. When it sees an event it cannot properly parse it will write an error and continue collecting events. In previous versions this error would cause the TA to stop.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...