- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Check Point OPSEC LEA: Why am I ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After recently configuring the Splunk Add-on for Check Point OPSEC LEA, I'm finding these errors reported in my splunk_ta_checkpoint-opseclea_modinput.log and no events are indexed.
2016-12-27 20:25:58,983 +0000 log_level=ERROR, pid=10558, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=108 | [input_name="SPLUNKLEA" data="non_audit"] Failed to index data, reason:
Traceback (most recent call last):
File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_data_collector.py", line 105, in index_data
self._do_safe_index()
File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_data_collector.py", line 148, in _do_safe_index
self._client = self._create_data_client()
File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_data_collector.py", line 73, in _create_data_client
ckpt = self._get_ckpt()
File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_data_collector.py", line 64, in _get_ckpt
return self._checkpoint_manager.get_ckpt()
File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_checkpoint_manager.py", line 32, in get_ckpt
return self._store.get_state(key)
File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktalib/state_store.py", line 202, in get_state
state = json.load(jsonfile)
File "/opt/PROD/6.4.3.a/splunk/lib/python2.7/json/__init__.py", line 291, in load
**kw)
File "/opt/PROD/6.4.3.a/splunk/lib/python2.7/json/__init__.py", line 339, in loads
return _default_decoder.decode(s)
File "/opt/PROD/6.4.3.a/splunk/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/opt/PROD/6.4.3.a/splunk/lib/python2.7/json/decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
last line in the error above:
>ValueError: No JSON object could be decoded
I was able to fix this by deleting the App's modinputs checkpoint (pointer file) that tracks the last location of the FW log.
fix: cp to backup or delete $SPLUNK_HOME/var/lib/splunk/modinputs/checkpoint_opseclea/<input_name >
I've also reported this as a bug, please contact Support for more info.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
does restarting Splunkd is necessary after deleting the checkpoint file (pointer)?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
last line in the error above:
>ValueError: No JSON object could be decoded
I was able to fix this by deleting the App's modinputs checkpoint (pointer file) that tracks the last location of the FW log.
fix: cp to backup or delete $SPLUNK_HOME/var/lib/splunk/modinputs/checkpoint_opseclea/<input_name >
I've also reported this as a bug, please contact Support for more info.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to delete folder or just the files?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have this problem
2018-08-15 22:19:27,785 +0000 log_level=ERROR, pid=36052, tid=MainThread, file=checkpoint_opseclea.py, func_name=main, code_line_no=178 | Encounter exception=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py", line 175, in main
run()
File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py", line 97, in run
tconfig = tc.create_ta_opseclea_config()
File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/ta_opseclea_config.py", line 15, in create_ta_opseclea_config
return TaOpsecLeaConfig(meta_configs, input_configs, client_schema)
File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_config.py", line 23, in __init__
self._generate_configs()
File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_config.py", line 105, in _generate_configs
self._set_task_configs(task_configs)
File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/ta_opseclea_config.py", line 21, in _set_task_configs
connection = task_config[c.connections][task_config[c.connection]]
KeyError: u'10.107.35.30'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this appears to be a configuration issue, would it be possible to capture a diag of this instance and open a Support case? We should be able to quickly identify the stanza/setting that's causing this KeyError
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i created the splunk support 1088513
:9
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just the files
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had a crash on the ESX containting one of our Splunks that caused a sudden reboot and was facing this same error (latest Opsec lea plugin).
Solution worked great!
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked great for me on version 4.2.0, thanks so glad I found this post, thanks! I'm still waiting on support to acknowledge the case I submitted for the issue yesterday despite them saying they'ed e-mail back in the morning. Thats what I get for not googling the cryptic error messages first. It was confusing as during my troubleshooting the DEBUG checking running the addon manually to a temp file worked fine. As you mentioned we had a hard reboot so didn't shutdown cleanly. (really not sure why we pay for support still tbh...)
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
