All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

task config has no interval

davebo1896
Communicator
‎04-16-2018 01:38 PM

Not getting and Azure Audit logs after setup. We are on-prem. Any ideas?

Seeing this error in the logs:
2018-04-16 20:30:20,975 +0000 log_level=ERROR, pid=17164, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=199 | Microsoft Cloudservices Azure Audit task encounter exception
Traceback (most recent call last):
File "/app/install/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_mod_input.py", line 196, in main
config_cls=configer_cls, log_suffix=log_suffix)
File "/app/install/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_mod_input.py", line 111, in run
tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig, log_suffix)
File "/app/install/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_config.py", line 203, in create_ta_config
return config_cls(meta_config, settings, stanza_name, log_suffix)
File "/app/install/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_config.py", line 31, in __init__
self._load_task_configs()
File "/app/install/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_config.py", line 60, in _load_task_configs
self._divide_settings)
File "/app/install/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_config.py", line 80, in _generate_task_configs
assert task_config.get(c.interval), "task config has no interval " \
AssertionError: task config has no interval field

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

davebo1896
Communicator
‎05-11-2018 07:05 AM

It appears the problem is caused by the ordering of the configs
(and the UI does not put them in the correct order)

The stanza has to be configured in the order listed in the documentation:

 [<input_stanza_name>]              
 account = <value>
 subscription_id = <value>
 start_time = <value>
 index = <value>
 interval = <value>

View solution in original post

Reply
Solved! Jump to solution
Solution

davebo1896
Communicator
‎05-11-2018 07:05 AM

It appears the problem is caused by the ordering of the configs
(and the UI does not put them in the correct order)

The stanza has to be configured in the order listed in the documentation:

 [<input_stanza_name>]              
 account = <value>
 subscription_id = <value>
 start_time = <value>
 index = <value>
 interval = <value>
Reply
Solved! Jump to solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎04-25-2019 01:20 AM

Yes, I discovered this today, it needs to match what you said, just like in this doc:

https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureinputs2

Because this is a non-standard .conf file (mscs_azure_audit_inputs.conf), guessing it's processed by a script that's not being smart (i.e. automatically throwing into an object without checking the key-value pairs...). This is either a bug in the UI or in the script processing this .conf file.

0 Karma
Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎04-17-2018 03:34 PM

Some of the configs are stored in the KV store. I've run into issues in the past if I try to create an input with the same name as a failed or previously deleted input. Try creating the input again with a unique name.

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎04-17-2018 02:37 AM

Hey@davebo1896,

Have you created this stanza in inputs.conf?

[<input_stanza_name>]              
account = <value>
subscription_id = <value>
start_time = <value>
index = <value>
interval = <value>

is the interval parameter added?

Refer this doc:
http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureinputs2
Let me know if this helps!!

0 Karma
Reply
Solved! Jump to solution

davebo1896
Communicator
‎04-17-2018 12:25 PM

Thanks @deepashri_123,

I had assumed the GUI would add that as it created them. It had not. I manually updated each section with an interval, then restarted.

Unfortunately, still getting the error and not getting data.

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎04-18-2018 03:41 AM

Is the error still the same or error is different?

0 Karma
Reply
Solved! Jump to solution

davebo1896
Communicator
‎04-26-2018 09:39 AM

Same error

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...