I have installed the Netwitness query app. Configured the credentials, tested the REST api call using CURL and am still receiving the below errors when enabling the app on my search head. Any thoughts or inputs on this issue?
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitnessquery/bin/nwsdkquery.py" 2017-Feb-28 18:58:25 - ERROR: Couldn't read authentication details PassAuth or from nwsdkquery.conf.
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitnessquery/bin/nwsdk_query.py" No handlers could be found for logger "splunk.rest.format"
Here is what I get when running the python script in the CLI.
Traceback (most recent call last):
File "nwsdkquery.py", line 308, in
from splunk.clilib.clicommon import getMergedConf
ImportError: No module named splunk.clilib.clicommon
Are you running it with ./splunk cmd python script_path ? Sorry markup messed my first reply.
That library is exclusive to Splunk's python distribution. Could it be that the script is running with the system python distribution instead of Splunk's too?
Alternatively, just try with the credentials on the script that should always work, although that library is still required to read the configuration file.
Hope this helps!
I ran the script and received the below error. I also tried while hardcoding the credentials in the script with no luck.
./splunk cmd python /opt/splunk/etc/apps/netwitnessquery/bin/nwsdkquery.py
2017-Mar-02 01:19:01 - ERROR: Couldn't read TOPLEVELURL from nwsdk_query.conf.
That is now a different issue, it seems like the URL for the REST API the script should connect to is missing from the configuration file. The library error is now no longer an issue.
The TOPLEVELURL should look something like http(s)://IPOFBrokerorConcentrator:Port/
Hope this helps!
Hm, I am a bit confused as I have input the toplevelurl in /local/nwsdk_query.conf. I am able to curl the URL with no issues.
query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where service=80
I'm wondering if there's a permissions issue or a problem with the filename... that is causing the access to it to fail. But it's even stranger as it should at least read the one in the default directory...
The library being used is Splunk's default library to process configuration files that would merge default and local files with the same name.
My email is the code if you prefer to reach out to me directly with file details and directory listings or other more sensitive information, please feel free to use it.
It turns out this is related to the use of single sign-on and PassAuth, if you are using single sign-on for now the only option is to configure your NetWitness credentials in the configuration file.
I do see the irony in it but unfortunately I'm not sure if/how I will be able to address it. Maybe someone from Splunk can pitch in here with what would be the solution in these cases.