All Apps and Add-ons

Proofpoint TAP modular app input: Error updating inputs.conf: HTTP 400 Bad Request -- Argument "pyt

konstr
Path Finder

We are trying to ingest logs from Proofpoint TAP using the available addon. We have successfully created the TAP input in our Splunk Cloud but we see no data coming in.

Upon further inspection the following error appears every time the input runs.

 

11-30-2020 13:27:57.345 +0000 ERROR ExecProcessor [11603 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/proofpoint_tap_siem.py" proofpoint_tap_siem://TAP_proofpoint_test: stream_events/proofpoint_tap_siem://TAP_proofpoint_test: Error updating inputs.conf: HTTP 400 Bad Request -- Argument "python.version" is not supported by this handler.

 

 

Any idea of what the problem might be and how we can fix it?

Labels (3)
0 Karma
1 Solution

konstr
Path Finder

We managed to solve the issue eventually. It seems that Splunk support did not install the latest available version of the TA to our Splunk Cloud instance. Even though the version they installed was still compatible with version 8.1 of Splunk it was not working with Splunk Cloud. Once the TA was updated everything started working as expected.

View solution in original post

0 Karma

konstr
Path Finder

We managed to solve the issue eventually. It seems that Splunk support did not install the latest available version of the TA to our Splunk Cloud instance. Even though the version they installed was still compatible with version 8.1 of Splunk it was not working with Splunk Cloud. Once the TA was updated everything started working as expected.

0 Karma

subvocal
Engager

I'm happy to hear that it's now working! Thanks for sharing what the issue was and how to fix it.

0 Karma

subvocal
Engager

Hi @konstr - To rule out any sort of issue with communication and verify that the problem is with the configuration of the client, would you mind running the following command from the Splunk command line?

curl "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=3600" --user "principal:secret" -s

- change principal:secrt to the appropriate values. If that's working, it tells us the credentials and the communication is proper. If this is successful, I suggest opening a ticket with Proofpoint support for additional assistance. We can share the final solution here for the community.

0 Karma

konstr
Path Finder

Hi @subvocal, thank you for the reply. I have already tried manual curling the API and I can verify that the credentials are working and there is no problem with the communication/authentication.

 

On top of that, I have tried to set the input on a local Splunk Dev instance with success and the add-on is working fine. The problem seems to be when using the add-on in Splunk Cloud (dev instance was on-pre Splunk enterprise).

 

We have chased it up internally and contacted Proofpoint. I will update this, once we find a solution.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...