Hi Everyone 🙂
Installed the Security App for NetWitness but the .py scripts are pulling not data form it and showing these errors.
ERROR ExecProcessor - message from "python /opt/splunk/etc/netwitness_query/bin/nwsdk_query.py" 2017-Apr-20 16:20:51 - WARN: Couldn't execute summary query. Sleeping 60 seconds..
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness_query/bin/nwsdk_query.py" 2017-Apr-20 16:20:51 - ERROR: [get_summary] message= - URL=***************************************/json*
This app is pushed onto forwarder cluster bearing 15 forwarders.
Installed the Administration App for RSA Security Analytics but the .py scripts are not pulling data form it and showing these errors.
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jpmcsec_all_netwitness_admin/bin/nwadmin.py" 2017-Apr-18 05:39:37 - ERROR: Processing decoder-itrnw-uscl-dec-01 entry from configuration file
After 2 days i installed this app i received the following messages when searched
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness_admin/bin/nwadmin.py" 2017-Apr-18 05:39:58 - INFO: Successfully terminated all threads
Could someone help me with this, thanks in advance.
They both look like possible configuration file issues... Unless you changed the log entry for posting here. In the first case the URL should really show the URL to the REST API something like http(s)://:/
The second app suggests that the app is working as expected and reporting an error in your configuration file, the last message is unfortunately a Splunk side-effect where all messages written to STDERR are prefixed with the word ERROR: so the app actually then add its own level and in the last message as you can see it's simply an INFO message.
Please feel free to reach out to me directly if you don't want to post your configuration files here. I'm the app developer and my e-mail can be found in the app itself.
Understood and why I suggested we moved to e-mail. The json part is probably the issue unless you removed more data and that's just the ending.
The message part should let us know what the error is related to as well. Let's move to e-mail and maybe you can share the full logs and details there.