Is this add-on search head cluster supported?? I have this add-on deployed to both our prod (clustered) environment and our dev/qa (non-clustered) environment. The add-on seems to work perfectly fine on our non-clustered environment, however, it is throwing errors in our prod environment. The alert action configurations are identical across both environments.
FieldValidationException: The argument '_cam_workers' is not valid
I don't think this error is related to Search Head Clusters.
I saw this error on non-clustered Search Head where also the Common Information Model (CIM) version 4.12.0 is installed.
https://splunkbase.splunk.com/app/1621/
cat /opt/splunk/var/log/splunk/netcool_custom_modular_alert.log
2019-05-22 10:15:01,597 ERROR Execution failed: Traceback (most recent call last):
File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 539, in execute
cleaned_params = self.validate(payload['configuration'])
File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 490, in validate
raise FieldValidationException("The argument '%s' is not valid" % (name))
FieldValidationException: The argument '_cam' is not valid
2019-05-22 10:22:02,094 ERROR Execution failed: Traceback (most recent call last):
File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 539, in execute
cleaned_params = self.validate(payload['configuration'])
File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 490, in validate
raise FieldValidationException("The argument '%s' is not valid" % (name))
FieldValidationException: The argument '_cam_workers' is not valid
Run btool to see if CIM is causing the conflict with the NetCool app. If you see _cam config here, that might be the cause of the error. Or it might be another app with alert_actions config.
/opt/splunk/bin/splunk btool alert_actions list --debug
The config is locaded here:
-bash-4.2$ pwd
/opt/splunk/etc/apps/Splunk_SA_CIM/default
-bash-4.2$ cat alert_actions.conf
param._cam =
param._cam_workers =
Comment out these rows and restart Search Head and see if NetCool app works fine.
If it does, you should investigate what to do with that alert_actions config, if you need it.
Looks like that seems to be the problem. That fixed it for me.
I don't think this error is related to Search Head Clusters.
I saw this error on non-clustered Search Head where also the Common Information Model (CIM) version 4.12.0 is installed.
https://splunkbase.splunk.com/app/1621/
cat /opt/splunk/var/log/splunk/netcool_custom_modular_alert.log
2019-05-22 10:15:01,597 ERROR Execution failed: Traceback (most recent call last):
File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 539, in execute
cleaned_params = self.validate(payload['configuration'])
File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 490, in validate
raise FieldValidationException("The argument '%s' is not valid" % (name))
FieldValidationException: The argument '_cam' is not valid
2019-05-22 10:22:02,094 ERROR Execution failed: Traceback (most recent call last):
File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 539, in execute
cleaned_params = self.validate(payload['configuration'])
File "/opt/splunk/etc/apps/netcool_custom_modular_alert/bin/modular_alert.py", line 490, in validate
raise FieldValidationException("The argument '%s' is not valid" % (name))
FieldValidationException: The argument '_cam_workers' is not valid
Run btool to see if CIM is causing the conflict with the NetCool app. If you see _cam config here, that might be the cause of the error. Or it might be another app with alert_actions config.
/opt/splunk/bin/splunk btool alert_actions list --debug
The config is locaded here:
-bash-4.2$ pwd
/opt/splunk/etc/apps/Splunk_SA_CIM/default
-bash-4.2$ cat alert_actions.conf
param._cam =
param._cam_workers =
Comment out these rows and restart Search Head and see if NetCool app works fine.
If it does, you should investigate what to do with that alert_actions config, if you need it.
Could you please tell me where you installed the add on ? Was it on heavy forwarders ? Also could you share a screenshot of the full error not releasing any sensitive data ?
The app is installed on a Search Head, Splunk Enterprise 7.1.2. It hasn't role heavy forwarder.
The full error messages are in the answer above where python script arguments are not valid, referring to arguments _cam and _cam_workers.
It can be helpful to print the modular_alert.py payload by adding this just before row 539, hence row 539 is throwing the error message.
with open('/opt/splunk/temp/file.txt','w') as f: f.write(pprint.pformat(payload))