All Apps and Add-ons

Why are the Security App for NetWitness and Administration App for RSA Security Analytics apps' python scripts not pulling data?

teja2007
New Member

Hi Everyone 🙂

Installed the Security App for NetWitness but the .py scripts are pulling not data form it and showing these errors.

ERROR ExecProcessor - message from "python /opt/splunk/etc/netwitness_query/bin/nwsdk_query.py" 2017-Apr-20 16:20:51 - WARN: Couldn't execute summary query. Sleeping 60 seconds..
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness_query/bin/nwsdk_query.py" 2017-Apr-20 16:20:51 - ERROR: [get_summary] message= - URL=***************************************/json*

This app is pushed onto forwarder cluster bearing 15 forwarders.

Installed the Administration App for RSA Security Analytics but the .py scripts are not pulling data form it and showing these errors.

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jpmcsec_all_netwitness_admin/bin/nwadmin.py" 2017-Apr-18 05:39:37 - ERROR: Processing decoder-itrnw-uscl-dec-01 entry from configuration file

After 2 days i installed this app i received the following messages when searched

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness_admin/bin/nwadmin.py" 2017-Apr-18 05:39:58 - INFO: Successfully terminated all threads

Could someone help me with this, thanks in advance.

Regards,
Shiv

0 Karma

rataide
Path Finder

Hi Shiv,

They both look like possible configuration file issues... Unless you changed the log entry for posting here. In the first case the URL should really show the URL to the REST API something like http(s)://:/

The second app suggests that the app is working as expected and reporting an error in your configuration file, the last message is unfortunately a Splunk side-effect where all messages written to STDERR are prefixed with the word ERROR: so the app actually then add its own level and in the last message as you can see it's simply an INFO message.

Please feel free to reach out to me directly if you don't want to post your configuration files here. I'm the app developer and my e-mail can be found in the app itself.

Thank you,

Rui

0 Karma

teja2007
New Member

Hi Rui,

I cannot find your email address could you kindly share it?

Regards,
Shiv

0 Karma

teja2007
New Member

Hi Rui,
There is URL to the REST API something like http(s)://:/xxxxxxxxxx.com/json in the error but due to organization concern i didn't give it here.

Regards,
Shiva

0 Karma

rataide
Path Finder

Understood and why I suggested we moved to e-mail. The json part is probably the issue unless you removed more data and that's just the ending.

The message part should let us know what the error is related to as well. Let's move to e-mail and maybe you can share the full logs and details there.

Thank you,

Rui

0 Karma

teja2007
New Member

I have sent an email to both your @netwitness.com and @rsa.com Please reply back there.

0 Karma

rataide
Path Finder

It's at the top of the README.txt file in the main directory for each of the apps, it is still the original at NetWitness but the same at @rsa.com will work too.

Thank you,

Rui

0 Karma

teja2007
New Member

Thanks Rui, I emailed you hope to hear from you soon.

Regards,
Shiva

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...