Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Qualys Technology Add-on (TA) for Splunk 1.0.3: Wh...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Qualys Technology Add-on (TA) for Splunk 1.0.3: Why am I getting "Error -5 while decompressing data: incomplete or truncated stream"?
todd_miller
Communicator
05-04-2016
10:58 AM
Since updating to version 1.0.3 of the Qualys Technology Add-on (TA) for Splunk (Running on a dedicated "API Forwarder", a standalone Splunk 6.4.0 instance that forwards data to my indexers), I can no longer ingest data. On version 1.0.2, I was only getting the scan data, no KB data).
Here is the error I'm getting:
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" Traceback (most recent call last):
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 274, in <module>
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" main()
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 267, in main
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" run()
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 144, in run
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" api_password = qualysModule.splunkpopulator.utils.decrypt(qualysConf['setupentity']['password'])
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/utils.py", line 201, in decrypt
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" return zlib.decompress(base64.urlsafe_b64decode(text))
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" zlib.error: Error -5 while decompressing data: incomplete or truncated stream
Any additional insight would be appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
todd_miller
Communicator
05-11-2016
06:22 AM
So the good news is that I don't appear to be seeing any errors anymore.
The bad news is the following:
- When "knowledge_base" and "host_detection" data inputs are enabled, only "knowledge_base" data seems to be downloaded
- I see a tmp file created with "knowledge_base" data. Total file size is ~125M.
- The timestamp on the qualys_kb.csv lookup file is updated but no additional data is added to it. Current file size is 5.3M. I also created an empty file and added the csv header information to it. It successful recreates a 5.3M file
When the "knowledge_base" data input is disabled, nothing is downloaded from the "host_detection" data input. I see the following in the logs.
5/11/16 9:14:07.000 AM making https://qualysapi.qualys.com/msp/about.php request with params={} host = x.x.com index = _internal source = qualys://host_detection sourcetype = qualys 5/11/16 9:14:07.000 AM Start qualys TA host = x.x.com index = _internal source = qualys://host_detection sourcetype = qualys 5/11/16 9:14:04.000 AM End qualys TA host = x.x.com index = _internal source = qualys://host_detection sourcetype = qualys
That's all we get.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jeffriesa
Path Finder
08-10-2016
06:15 PM
I have just upgraded away from the Beta version which was working fine.
We are getting the same errors?
And this one:
QualysSplunkPopulator: 2016-08-11T11:14:21Z PID=25745 [MainThread] ERROR: QualysSplunkPopulator - Error during request to /msp/about.php, [None] Unauthorized
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lindaiyu
Path Finder
07-05-2016
07:37 AM
Hello Todd,
Does your app work now? If not, you could communicate with me.
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
