All Apps and Add-ons

Proofpoint TAP modular app input: Error updating inputs.conf: HTTP 400 Bad Request -- Argument "pyt

konstr
Path Finder

We are trying to ingest logs from Proofpoint TAP using the available addon. We have successfully created the TAP input in our Splunk Cloud but we see no data coming in.

Upon further inspection the following error appears every time the input runs.

 

11-30-2020 13:27:57.345 +0000 ERROR ExecProcessor [11603 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/proofpoint_tap_siem.py" proofpoint_tap_siem://TAP_proofpoint_test: stream_events/proofpoint_tap_siem://TAP_proofpoint_test: Error updating inputs.conf: HTTP 400 Bad Request -- Argument "python.version" is not supported by this handler.

 

 

Any idea of what the problem might be and how we can fix it?

Labels (3)
0 Karma
1 Solution

konstr
Path Finder

We managed to solve the issue eventually. It seems that Splunk support did not install the latest available version of the TA to our Splunk Cloud instance. Even though the version they installed was still compatible with version 8.1 of Splunk it was not working with Splunk Cloud. Once the TA was updated everything started working as expected.

View solution in original post

0 Karma

konstr
Path Finder

We managed to solve the issue eventually. It seems that Splunk support did not install the latest available version of the TA to our Splunk Cloud instance. Even though the version they installed was still compatible with version 8.1 of Splunk it was not working with Splunk Cloud. Once the TA was updated everything started working as expected.

0 Karma

subvocal
Engager

I'm happy to hear that it's now working! Thanks for sharing what the issue was and how to fix it.

0 Karma

subvocal
Engager

Hi @konstr - To rule out any sort of issue with communication and verify that the problem is with the configuration of the client, would you mind running the following command from the Splunk command line?

curl "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=3600" --user "principal:secret" -s

- change principal:secrt to the appropriate values. If that's working, it tells us the credentials and the communication is proper. If this is successful, I suggest opening a ticket with Proofpoint support for additional assistance. We can share the final solution here for the community.

0 Karma

konstr
Path Finder

Hi @subvocal, thank you for the reply. I have already tried manual curling the API and I can verify that the credentials are working and there is no problem with the communication/authentication.

 

On top of that, I have tried to set the input on a local Splunk Dev instance with success and the add-on is working fine. The problem seems to be when using the add-on in Splunk Cloud (dev instance was on-pre Splunk enterprise).

 

We have chased it up internally and contacted Proofpoint. I will update this, once we find a solution.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...