Solved: Re: Tripwire IP360 Add-on for Splunk error: "opera...

sheltonc_bah · ‎08-18-2017

We are getting the following error when trying to use the IP360 Add-on:

ERROR: operator does not exist: timestamp with time zone > character varying

This appears to be an issue with the checkpoint value getting applied back to the query. The initial run completes fine, saves the new checkpoint value, but we get this error on all further queries.

SQL from the add-on:

SELECT * FROM (select start_date, audit_id, end_date, end_date - start_date as duration, s.status
, n.network_id
, n.name
, (SELECT string_agg(range, ', ') from nc_network_range where network_id = a.network_id) as networkinc
 , (SELECT string_agg(exclude::text, ', ') from nc_network_range where network_id = a.network_id) as networkexc
 , '?' as networktotal
 , '?' as networkgroups
 , n.active as networkactive
  , sp.name as scan_profile_name
  , a.dp_id
  , 'no permissions' as dpname
  , 'no permissions' as dphw
  , 'no permissions' as dpip
  from nc_audit a
  inner join nc_network n on n.network_id = a.network_id
  inner join nc_audit_status s on s.status_id = a.status_id
  left join nc_scan_profile sp on sp.scan_profile_id = a.scan_profile_id
  where end_date IS NOT NULL AND start_date > cast('2017-08-15 00:00:00' as timestamp)) t WHERE \"end_date\" > ? ORDER By \"end_date\" ASC

Example Checkpoint value:

2017-08-18 13:08:57.748866-04

Our environment:
- Splunk 6.5.3
- DB Connect 2.4
- Tripwire IP360 7.5.2

JimWachhaus · ‎10-06-2017

It appears that if someone goes into the dbconnect app and goes through the process to “Save” the ip360_scan_status input, then the dbconnect adds new parameters to our inputs.conf that creates this problem.

So an example inputs.conf with the "extra" lines from the save would be like this:
[root@localhost apps]# diff splunk_app_db_connect/local/inputs.conf splunk_app_db_connect/local/inputs.conf.bak
83,86d82
< enable_query_wrapping = 1
< tail_rising_column_fullname = (003) nc_audit.end_date.timestamptz
< tail_rising_column_checkpoint_value = 2017-10-06 15:40:46.213108-04
< disabled = 0

To fix the error:
1. Delete the enable_query_wrapping, tail_rising_column_fullname, and tail_rising_column_checkpoint_value lines from the input.conf
2. Disable/re-enable the ip360_scan_status input
3. This should start working again.

WARNING: Make sure you do not go back through the input in the dbconnect app and click Save again! If you do, those parameters are added to the input.conf and the app is broken again.

View solution in original post

JimWachhaus · ‎10-06-2017

It appears that if someone goes into the dbconnect app and goes through the process to “Save” the ip360_scan_status input, then the dbconnect adds new parameters to our inputs.conf that creates this problem.

So an example inputs.conf with the "extra" lines from the save would be like this:
[root@localhost apps]# diff splunk_app_db_connect/local/inputs.conf splunk_app_db_connect/local/inputs.conf.bak
83,86d82
< enable_query_wrapping = 1
< tail_rising_column_fullname = (003) nc_audit.end_date.timestamptz
< tail_rising_column_checkpoint_value = 2017-10-06 15:40:46.213108-04
< disabled = 0

To fix the error:
1. Delete the enable_query_wrapping, tail_rising_column_fullname, and tail_rising_column_checkpoint_value lines from the input.conf
2. Disable/re-enable the ip360_scan_status input
3. This should start working again.

WARNING: Make sure you do not go back through the input in the dbconnect app and click Save again! If you do, those parameters are added to the input.conf and the app is broken again.

JimWachhaus · ‎10-05-2017

What version of the add-on are you using?

sheltonc_bah · ‎10-06-2017

We tried the 2.0 and 2.1 versions of the add-on from the Tripwire site.

Tripwire IP360 Add-on for Splunk error: "operator does not exist"

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!