All Apps and Add-ons

Invalid configuration specified: "NoneType-object has no attribute 'group'"

ademuyiwaronja
New Member

I'm trying to use splunk stream to analyse a pcap file and it doesn't work. After choosing "PCAP file" in the "Data input"-tab, I'm prompted to create a new configuration. Which means choosing a name and a file, it seems. So I choose a name and a pcap file, but when I click next it says Encountered the following error while trying to save: Invalid configuration specified: 'NoneType' object has no attribute 'group'. This happens whether I tick any of the other boxes like "System Time". What am I doing wrong? OS is Ubuntu 18.04, browser is firefox, in case that matters.

0 Karma
1 Solution

uagrawal_splunk
Splunk Employee
Splunk Employee

No, You are not doing anything wrong. Currently, the Stream App 7.1.3 is supported till Splunk version 7.3.x ( i.e. Pinkiepie). So, If you are using Stream App with the Quake build then you might get the above error.

View solution in original post

malvidin
Communicator

A workaround is using the CLI to read the PCAP. The streamfwd binary location depends on your OS architecture, as detailed in the documentation.
https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/streamfwdcommandlineoptions

streamfwd -r \"{}\"

Although Stream 7.2 lists Splunk 8.0 as supported, direct PCAP uploads are not. That is included in the release notes as a known issue without much information.
https://docs.splunk.com/Documentation/StreamApp/7.2.0/ReleaseNotes/Knownissues

One of the secondary issues is that Splunk Stream assumes that file information passed to Stream is correct before it does regex extraction of the input PCAP filename. When this happens, the input script does not provide any useful information when the regex search fails.

From what I see, the issue comes from the way that Quake passes the data to Stream on stdin.

Value passed to stdin: "<__main__.UnicodePart object at 0x00000000>"
Expected value: "FieldStorage('pcap_file', 'example_filename.pcap', 'example filedata')"

I'd appreciate it if Splunk used something like the following to replace the get_pcap_filename and get_pcap_data functions, so that any related errors returned to the user don't require extra work to search for the issue.

def get_pcap_fileinfo(config, type):
    if type not in {'filename', 'filedata'}:
        raise Exception("Invalid PCAP information requested.")
    upload_parser = re.compile(r'^FieldStorage\(\'pcap_file\',\s\'(?P<filename>[^\']+)\',\s["\'](?P<filedata>.+)["\']\)$')
    fileinfo_match = upload_parser.search(config['pcap_file'])
    if fileinfo_match:
        fileinfo = fileinfo_match.group(type)
    else:
        raise Exception("Could not extract filename or filedata from user input. Known issue for Splunk 8.0 (Quake) and Stream 7.2 ( STREAM-4235)")
    return fileinfo

uagrawal_splunk
Splunk Employee
Splunk Employee

No, You are not doing anything wrong. Currently, the Stream App 7.1.3 is supported till Splunk version 7.3.x ( i.e. Pinkiepie). So, If you are using Stream App with the Quake build then you might get the above error.

uagrawal_splunk
Splunk Employee
Splunk Employee

Which Splunk Version are you using? Is it Quake Python 3

0 Karma

ademuyiwaronja
New Member

Version is Splunk Enterprise 8.0.0.

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Right now, Stream App is not supported with Splunk Enterprise 8.0.0.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...