Hi there,
I installed splunk for netwitness and set up all configuration. But It's not working well.
Error log is below.
"ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness/bin/nwsdk.py" 2013-Mar-12 18:04:35 - INFO: No new sessions to read from http://netbox_IP:50105/
And then my splunk box info is here.
Linux 3.5.0-25-generic #39~precise1-Ubuntu SMP Tue Feb 26 00:07:14 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
when I ping to netwitness, everything is OK. my config file which named nwsdk.conf located in /opt/splunk/etc/apps/netwitness/local/nwsdk.conf.
I have no idea why this app was not worked from my linux box.
Hi,
The message suggests that you can connect to your NW device correctly, the app just thinks there's no new data that needs to be read, is this a busy system or a test system with no new data constantly flowing into it?
Also, please check if the last_sid_file (default: /var/tmp/.last_sessionid) exists, if so its contents might be corrupted and the value in there could be larger than the latest session ID on the NetWitness DB.
If that's the case, simply deleting the file should force a restart of data collection based on the latest 5 minutes of events on the NW DB.
Are there any other error messages from when the application first started?
You can also run it from the command line to check for errors using the $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/netwitness/bin/nwdsdk.py
command, if needed but if it's successful the output might be rather large.
Hope that helps! If not please let me know and I'll try to assist further.
Thank you,
Rui
Hi,
The message suggests that you can connect to your NW device correctly, the app just thinks there's no new data that needs to be read, is this a busy system or a test system with no new data constantly flowing into it?
Also, please check if the last_sid_file (default: /var/tmp/.last_sessionid) exists, if so its contents might be corrupted and the value in there could be larger than the latest session ID on the NetWitness DB.
If that's the case, simply deleting the file should force a restart of data collection based on the latest 5 minutes of events on the NW DB.
Are there any other error messages from when the application first started?
You can also run it from the command line to check for errors using the $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/netwitness/bin/nwdsdk.py
command, if needed but if it's successful the output might be rather large.
Hope that helps! If not please let me know and I'll try to assist further.
Thank you,
Rui
Great! Glad to hear you got it sorted.
Thank you for letting me know!
Thank you for your kind answer, Rui. I did success running this app. As your thought, no_sid_file config valuse may some problem. But I am not sure that. I changed no_sid_file value from -2 to 0.
After that I can watch all data. Thank you for your help.
Regards,