All Apps and Add-ons

Splunk Add-on for CrowdStrike: 500 Server Error: Internal Server Error for url

kmanson
Path Finder

First time setting up the Splunk version of this app, normally just use the crowdstrike version that downloads the logs and just create inputs to monitor.

2017-06-13 11:21:17,081 +0000 log_level=ERROR, pid=31446, tid=Thread-4, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=170 | [stanza_name="company_cs"] Failed to get msg
Traceback (most recent call last):
File "/opt/app/splunk/etc/apps/Splunk_TA_crowdstrike/bin/splunk_ta_crowdstrike/splunktaucclib/data_collection/ta_data_collector.py", line 160, in _do_safe_index
events, ckpt = self._client.get()
File "/opt/app/splunk/etc/apps/Splunk_TA_crowdstrike/bin/splunk_ta_crowdstrike/falcon_host_data_client.py", line 60, in get
self._initialize()
File "/opt/app/splunk/etc/apps/Splunk_TA_crowdstrike/bin/splunk_ta_crowdstrike/falcon_host_data_client.py", line 104, in _initialize
app_id=app_id, proxies=proxies, name=self._stanza)
File "/opt/app/splunk/etc/apps/Splunk_TA_crowdstrike/bin/splunk_ta_crowdstrike/falcon_host_stream_api.py", line 31, in consume
stream = _discover_streams(name, fire_host, api_uuid, api_key, app_id, proxies)
File "/opt/app/splunk/etc/apps/Splunk_TA_crowdstrike/bin/splunk_ta_crowdstrike/falcon_host_stream_api.py", line 42, in _discover_streams
proxies=proxies))
File "/opt/app/splunk/etc/apps/Splunk_TA_crowdstrike/bin/splunk_ta_crowdstrike/falcon_host_stream_api.py", line 151, in _ensure_response
response.raise_for_status()
File "/opt/app/splunk/etc/apps/Splunk_TA_crowdstrike/bin/splunk_ta_crowdstrike/requests/models.py", line 862, in raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 500 Server Error: Internal Server Error for url: https://firehose.crowdstrike.com/sensors/entities/datafeed/v1?appId=splunk-ta-sh1.company.domainj2

0 Karma

rrtorres1991
New Member

This is due to the FalconHost Streaming API not being enabled. Upon contacting Crowdstrike Support, they enabled it for me and it solved my problem.

0 Karma

rrtorres1991
New Member

I also am experiencing this same problem. Has anyone got a solution/workaround?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...