All Apps and Add-ons

SNMP Splunk MA App for Netcool: Search Head Cluster Supported??,Is this add-on supported on a Search Head Cluster??

fahmed1
Engager

Is this add-on search head cluster supported?? I have this add-on deployed to both our prod (clustered) environment and our dev/qa (non-clustered) environment. The add-on seems to work perfectly fine on our non-clustered environment, however, it is throwing errors in our prod environment. The alert action configurations are identical across both environments.

FieldValidationException: The argument '_cam_workers' is not valid

0 Karma
1 Solution

pellegrini
Path Finder

I don't think this error is related to Search Head Clusters.
I saw this error on non-clustered Search Head where also the Common Information Model (CIM) version 4.12.0 is installed.
https://splunkbase.splunk.com/app/1621/

cat /opt/splunk/var/log/splunk/netcool_custom_modular_alert.log
2019-05-22 10:15:01,597 ERROR Execution failed: Traceback (most recent call last):
  File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 539, in execute
    cleaned_params = self.validate(payload['configuration'])
  File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 490, in validate
    raise FieldValidationException("The argument '%s' is not valid" % (name))
FieldValidationException: The argument '_cam' is not valid

2019-05-22 10:22:02,094 ERROR Execution failed: Traceback (most recent call last):
  File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 539, in execute
    cleaned_params = self.validate(payload['configuration'])
  File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 490, in validate
    raise FieldValidationException("The argument '%s' is not valid" % (name))
FieldValidationException: The argument '_cam_workers' is not valid

Run btool to see if CIM is causing the conflict with the NetCool app. If you see _cam config here, that might be the cause of the error. Or it might be another app with alert_actions config.

/opt/splunk/bin/splunk btool alert_actions list --debug

The config is locaded here:

-bash-4.2$ pwd
/opt/splunk/etc/apps/Splunk_SA_CIM/default
-bash-4.2$ cat alert_actions.conf

param._cam =
param._cam_workers =

Comment out these rows and restart Search Head and see if NetCool app works fine.
If it does, you should investigate what to do with that alert_actions config, if you need it.

View solution in original post

rrthokala
New Member

Looks like that seems to be the problem. That fixed it for me.

0 Karma

pellegrini
Path Finder

I don't think this error is related to Search Head Clusters.
I saw this error on non-clustered Search Head where also the Common Information Model (CIM) version 4.12.0 is installed.
https://splunkbase.splunk.com/app/1621/

cat /opt/splunk/var/log/splunk/netcool_custom_modular_alert.log
2019-05-22 10:15:01,597 ERROR Execution failed: Traceback (most recent call last):
  File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 539, in execute
    cleaned_params = self.validate(payload['configuration'])
  File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 490, in validate
    raise FieldValidationException("The argument '%s' is not valid" % (name))
FieldValidationException: The argument '_cam' is not valid

2019-05-22 10:22:02,094 ERROR Execution failed: Traceback (most recent call last):
  File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 539, in execute
    cleaned_params = self.validate(payload['configuration'])
  File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 490, in validate
    raise FieldValidationException("The argument '%s' is not valid" % (name))
FieldValidationException: The argument '_cam_workers' is not valid

Run btool to see if CIM is causing the conflict with the NetCool app. If you see _cam config here, that might be the cause of the error. Or it might be another app with alert_actions config.

/opt/splunk/bin/splunk btool alert_actions list --debug

The config is locaded here:

-bash-4.2$ pwd
/opt/splunk/etc/apps/Splunk_SA_CIM/default
-bash-4.2$ cat alert_actions.conf

param._cam =
param._cam_workers =

Comment out these rows and restart Search Head and see if NetCool app works fine.
If it does, you should investigate what to do with that alert_actions config, if you need it.

kkrishnan_splun
Splunk Employee
Splunk Employee

Could you please tell me where you installed the add on ? Was it on heavy forwarders ? Also could you share a screenshot of the full error not releasing any sensitive data ?

0 Karma

pellegrini
Path Finder

The app is installed on a Search Head, Splunk Enterprise 7.1.2. It hasn't role heavy forwarder.
The full error messages are in the answer above where python script arguments are not valid, referring to arguments _cam and _cam_workers.

It can be helpful to print the modular_alert.py payload by adding this just before row 539, hence row 539 is throwing the error message.

     with open('/opt/splunk/temp/file.txt','w') as f: f.write(pprint.pformat(payload))
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...