Getting an error when trying to read generic Azure Storage table logs. Even tried with the Start Date/Time blank and still get the error below. Any Ideas?
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" Traceback (most recent call last):
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 426, in <module>
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" do_run()
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 305, in do_run
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" dateTimeStart = dateutil.parser.parse(marker)
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 1008, in parse
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" return DEFAULTPARSER.parse(timestr, **kwargs)
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 395, in parse
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" raise ValueError("Unknown string format")
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" ValueError: Unknown string format
From Jason Conger: Try clearing the checkpoint. To do this, stop the Splunk instance where the Azure add-on is running and type the following at the command line:
$SPLUNK_HOME/bin/splunk clean inputdata AzureStorageTable
This worked for me.
From Jason Conger: Try clearing the checkpoint. To do this, stop the Splunk instance where the Azure add-on is running and type the following at the command line:
$SPLUNK_HOME/bin/splunk clean inputdata AzureStorageTable
This worked for me.
A new version (1.2.1) is available that should address this issue.
Why is it even getting to line 304 in AzureStorageTable.py? There is no marker but its logging that there is a marker.
if marker is not None:
# If we have a marker, then we just pick up there.
logging.debug("Marker found for table %s: %s" % (table_name, marker))
dateTimeStart = dateutil.parser.parse(marker)
ValueError: Unknown string format
raise ValueError("Unknown string format")
File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 395, in parse
return DEFAULTPARSER.parse(timestr, **kwargs)
File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 1008, in parse
dateTimeStart = dateutil.parser.parse(marker)
File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 307, in do_run
do_run()
File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 429, in <module>
Traceback (most recent call last):
AzureStorageTable:306 - Marker found for table WADWindowsEventLogsTable: None
AzureStorageTable:285 - Overriding dateTimeStart. New value = '2016-05-06 00:00:00'
AzureStorageTable:280 - dateTimeStart = '2016-05-10T12:31:03.393043'
AzureStorageTable:402 - XML: 'table_name' -> 'WADWindowsEventLogsTable'
AzureStorageTable:398 - XML: found param 'table_name'
AzureStorageTable:402 - XML: 'storage_account' -> 'REDACTED'
AzureStorageTable:398 - XML: found param 'storage_account'
AzureStorageTable:402 - XML: 'sourcetype' -> 'azure:storage:table'
AzureStorageTable:398 - XML: found param 'sourcetype'
AzureStorageTable:402 - XML: 'select_string' -> 'RawXml,Timestamp'
AzureStorageTable:398 - XML: found param 'select_string'
AzureStorageTable:402 - XML: 'pollingInterval' -> '60'
AzureStorageTable:398 - XML: found param 'pollingInterval'
AzureStorageTable:402 - XML: 'limit' -> '1000'
AzureStorageTable:398 - XML: found param 'limit'
AzureStorageTable:402 - XML: 'index' -> 'wineventlog'
AzureStorageTable:398 - XML: found param 'index'
AzureStorageTable:402 - XML: 'host' -> 'REDACTED'
AzureStorageTable:398 - XML: found param 'host'
AzureStorageTable:402 - XML: 'dateTimeStart' -> '2016-05-06'
AzureStorageTable:398 - XML: found param 'dateTimeStart'
AzureStorageTable:402 - XML: 'dateTimeColumn' -> 'Timestamp'
AzureStorageTable:398 - XML: found param 'dateTimeColumn'
AzureStorageTable:402 - XML: 'access_key' -> 'REDACTED'
AzureStorageTable:398 - XML: found param 'access_key'
AzureStorageTable:392 - XML: found stanza AzureStorageTable://REDACTED
AzureStorageTable:387 - XML: found configuration
Humm, still having the same errors. Whats the correct format for the date? I tried blank and 20160509T191536Z.
No date should work. But, 2016-05-09 should work as well.