All Apps and Add-ons

Invalid configuration specified: "NoneType-object has no attribute 'group'"

ademuyiwaronja
New Member

I'm trying to use splunk stream to analyse a pcap file and it doesn't work. After choosing "PCAP file" in the "Data input"-tab, I'm prompted to create a new configuration. Which means choosing a name and a file, it seems. So I choose a name and a pcap file, but when I click next it says Encountered the following error while trying to save: Invalid configuration specified: 'NoneType' object has no attribute 'group'. This happens whether I tick any of the other boxes like "System Time". What am I doing wrong? OS is Ubuntu 18.04, browser is firefox, in case that matters.

0 Karma
1 Solution

uagrawal_splunk
Splunk Employee
Splunk Employee

No, You are not doing anything wrong. Currently, the Stream App 7.1.3 is supported till Splunk version 7.3.x ( i.e. Pinkiepie). So, If you are using Stream App with the Quake build then you might get the above error.

View solution in original post

malvidin
Communicator

A workaround is using the CLI to read the PCAP. The streamfwd binary location depends on your OS architecture, as detailed in the documentation.
https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/streamfwdcommandlineoptions

streamfwd -r \"{}\"

Although Stream 7.2 lists Splunk 8.0 as supported, direct PCAP uploads are not. That is included in the release notes as a known issue without much information.
https://docs.splunk.com/Documentation/StreamApp/7.2.0/ReleaseNotes/Knownissues

One of the secondary issues is that Splunk Stream assumes that file information passed to Stream is correct before it does regex extraction of the input PCAP filename. When this happens, the input script does not provide any useful information when the regex search fails.

From what I see, the issue comes from the way that Quake passes the data to Stream on stdin.

Value passed to stdin: "<__main__.UnicodePart object at 0x00000000>"
Expected value: "FieldStorage('pcap_file', 'example_filename.pcap', 'example filedata')"

I'd appreciate it if Splunk used something like the following to replace the get_pcap_filename and get_pcap_data functions, so that any related errors returned to the user don't require extra work to search for the issue.

def get_pcap_fileinfo(config, type):
    if type not in {'filename', 'filedata'}:
        raise Exception("Invalid PCAP information requested.")
    upload_parser = re.compile(r'^FieldStorage\(\'pcap_file\',\s\'(?P<filename>[^\']+)\',\s["\'](?P<filedata>.+)["\']\)$')
    fileinfo_match = upload_parser.search(config['pcap_file'])
    if fileinfo_match:
        fileinfo = fileinfo_match.group(type)
    else:
        raise Exception("Could not extract filename or filedata from user input. Known issue for Splunk 8.0 (Quake) and Stream 7.2 ( STREAM-4235)")
    return fileinfo
0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

No, You are not doing anything wrong. Currently, the Stream App 7.1.3 is supported till Splunk version 7.3.x ( i.e. Pinkiepie). So, If you are using Stream App with the Quake build then you might get the above error.

uagrawal_splunk
Splunk Employee
Splunk Employee

Which Splunk Version are you using? Is it Quake Python 3

0 Karma

ademuyiwaronja
New Member

Version is Splunk Enterprise 8.0.0.

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Right now, Stream App is not supported with Splunk Enterprise 8.0.0.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...