All Apps and Add-ons

Splunk Addon Build shows zero events

spamarea1
Observer

Addon Builder 4.5.0, 

Modular input using my
Python code.
 
In this example the collection interval is set for 30 seconds. I added a log to verify it is running here: log_file = "/opt/splunk/etc/apps/TA-api1/logs/vosfin_cli.log"
 
The main page (Configure Data Collection) shows all the 'input names' that I built. But looking at the 'event count', I see a 0.  When I go into the log, it shows it running and giving me data ok.  Why doesn't the event count up every time the script runs? 
 
Is there addition configuration in inputs, props or web.conf that I need to add/edit to make it count up?

 

 

Labels (1)
0 Karma

tej57
Builder

Hello @spamarea1,

Would you be able to share the python code to check further why it is not ingesting events? And can you also confirm if ew.write_event(event) has been set properly? Did you also check on the Add-on Builder UI if it is ingesting events when you run the Test button?

Thanks,
Tejas. 

0 Karma

spamarea1
Observer

@tej57 

Here is the code, I reused the template that the addon builder app started.  The data input is also setup, it was built by the app, I have to give it a name and put the interval to 30 seconds.

Formatting here is not good....

 


# encoding = utf-8

import os
import sys
import time
import datetime

'''
IMPORTANT
Edit only the validate_input and collect_events functions.
Do not edit any other part in this file.
This file is generated only once when creating the modular input.
'''
'''
# For advanced users, if you want to create single instance mod input, uncomment this method.
def use_single_instance_mode():
return True
'''

def validate_input(helper, definition):
"""Implement your own validation logic to validate the input stanza configurations"""
# This example accesses the modular input variable
# password = definition.parameters.get('password', None)
# username = definition.parameters.get('username', None)
# finesse_ip = definition.parameters.get('finesse_ip', None)
pass


def collect_events(helper, ew):
import requests
from requests.auth import HTTPBasicAuth

finesse_ip = helper.get_arg('finesse_ip')
username = helper.get_arg('username')
password = helper.get_arg('password')

url = f"https://{finesse_ip}/finesse/api/SystemInfo"

try:
response = requests.get(url, auth=HTTPBasicAuth(username, password), verify=False)

if response.status_code == 200:
helper.log_info(f"Successfully retrieved data from {url}")
else:
helper.log_error(f"Request failed. Status: {response.status_code}, Body: {response.text}")

event = helper.new_event(
data=response.text,
source=helper.get_input_type(),
index=helper.get_output_index(),
host="finesse1a",
sourcetype=helper.get_sourcetype()
)
ew.write_event(event)

except Exception as e:
helper.log_error(f"Error during request to {url}: {str(e)}")

 

 

 

 

0 Karma

tej57
Builder

Hello @spamarea1,

Did you run the test button before saving? If the output shows blank white screen, it'll not ingest any data. Also, try to add more loggers to isolate the problem. Also, for once, add a info log of the response.txt itself. So that you can understand what the output should look like. 

Thanks,
Tejas. 

0 Karma

spamarea1
Observer

I did the save and finish buttons.  I get output when I hit the test and I see it when I search using the index and sourcetype.  The data is even put into dashboard.  I just have to run this manually. 

 

0 Karma

tej57
Builder

Hey @spamarea1,

So, where do you see 0 events? On the sourcetype-extraction page of the Add-on Builder? Can you please share a screenshot of it?

I assume it is because of the nature of the data flow set up. Your Add-on Builder would be present on one of the Enterprise Servers and the data would be ingested into different server on which Indexer is residing. So, whenever the input runs, it collects the data and sends it to the indexer server.

If the indexing happens locally, you would be able to see the events on the Add-on Builder page. Let me know if what I'm understanding is incorrect and screenshot would be better to troubleshoot further.

Thanks,
Tejas.

---
If the above solution helps, an upvote is appreciated..!! 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...