Hi Everyone 🙂
Installed the Security App for NetWitness but the .py scripts are pulling not data form it and showing these errors.
ERROR ExecProcessor - message from "python /opt/splunk/etc/netwitness_query/bin/nwsdk_query.py" 2017-Apr-20 16:20:51 - WARN: Couldn't execute summary query. Sleeping 60 seconds..
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness_query/bin/nwsdk_query.py" 2017-Apr-20 16:20:51 - ERROR: [get_summary] message= - URL=***************************************/json*
This app is pushed onto forwarder cluster bearing 15 forwarders.
Installed the Administration App for RSA Security Analytics but the .py scripts are not pulling data form it and showing these errors.
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jpmcsec_all_netwitness_admin/bin/nwadmin.py" 2017-Apr-18 05:39:37 - ERROR: Processing decoder-itrnw-uscl-dec-01 entry from configuration file
After 2 days i installed this app i received the following messages when searched
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness_admin/bin/nwadmin.py" 2017-Apr-18 05:39:58 - INFO: Successfully terminated all threads
Could someone help me with this, thanks in advance.
Regards,
Shiv
Hi Shiv,
They both look like possible configuration file issues... Unless you changed the log entry for posting here. In the first case the URL should really show the URL to the REST API something like http(s)://:/
The second app suggests that the app is working as expected and reporting an error in your configuration file, the last message is unfortunately a Splunk side-effect where all messages written to STDERR are prefixed with the word ERROR: so the app actually then add its own level and in the last message as you can see it's simply an INFO message.
Please feel free to reach out to me directly if you don't want to post your configuration files here. I'm the app developer and my e-mail can be found in the app itself.
Thank you,
Rui
Hi Rui,
I cannot find your email address could you kindly share it?
Regards,
Shiv
Hi Rui,
There is URL to the REST API something like http(s)://:/xxxxxxxxxx.com/json in the error but due to organization concern i didn't give it here.
Regards,
Shiva
Understood and why I suggested we moved to e-mail. The json part is probably the issue unless you removed more data and that's just the ending.
The message part should let us know what the error is related to as well. Let's move to e-mail and maybe you can share the full logs and details there.
Thank you,
Rui
I have sent an email to both your @netwitness.com and @rsa.com Please reply back there.
It's at the top of the README.txt file in the main directory for each of the apps, it is still the original at NetWitness but the same at @rsa.com will work too.
Thank you,
Rui
Thanks Rui, I emailed you hope to hear from you soon.
Regards,
Shiva