All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

'REST ERROR[1104]: Poster REST handler error - timed out'

fatemabw
New Member
‎10-29-2018 12:45 PM

Hi All,

After long time, we finally got the Splunk Add-on for MS Cloud Services on our Search Heads and Heavy forwarder.
I followed the steps listed in the blog: https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html
When I add the O365 account, I get the "Timeout for getting data from the authenticating window." error on the GUI of the Heavy forwarder.
When looked into the splunkd.log file, it lists following entires regarding the REST request:

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': Traceback (most recent call last):

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': File "/opt/splunk/bin/runScript.py", line 78, in

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': execfile(REAL_SCRIPT_NAME)

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_ms_o365_rh_common_poster.py", line 56, in

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': admin.CONTEXT_APP_AND_USER)

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': hand.execute(info)

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 595, in execute

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': if self.requestedAction == ACTION_EDIT: self.handleEdit(confInfo)

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/rest_handler/poster.py", line 94, in handleEdit

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': RH_Err.ctl(1104, msgx=exc)

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/rest_handler/error_ctl.py", line 149, in ctl

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': raise BaseException(err)

10-29-2018 15:36:52.055 -0400 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py execute': BaseException: REST ERROR[1104]: Poster REST handler error - timed out

10-29-2018 15:36:52.077 -0400 ERROR AdminManagerExternal - External handler failed with code '1' and output: 'REST ERROR[1104]: Poster REST handler error - timed out'. See splunkd.log for stderr output.

Any ideas what the issue could be? and how to resolve it?

Thanks,
FBW

Tags (1)
0 Karma
Reply

fatemabw
New Member
‎11-02-2018 12:57 PM

Figured it out. It was the proxy issue, as the Forwarder is behind a proxy, had to configure the proxy setup in the correct place for the Add-on to make requests to the internet using the proxy.

Got it to working by:
There is a config file inside the apps folder under the add-on, where the proxy settings has to be explicitly mentioned.

Under: /opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/local/splunk_ta_ms_o365_client_settings.conf
[proxy]
proxy_enabled = 1
proxy_rdns = 1
proxy_type = http

proxy_password = password of proxy account

proxy_port = 8000
proxy_url = proxy1.your.server.com
disabled = 0

proxy_username = user name of proxy account

Hope it's helpful to anyone who is having similar issues in future 🙂

Thanks,
Fatema.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...