Re: ImportError: No module named splunk.entity

fraijof · ‎10-25-2013

I'm running Splunk ver 6 on my current server. There is a known bug with CiscoIPS so I was recommended I create a new VM and load splunkforwarder ver 5.0.5 and push IPS data to my
Splunk 6 server. After MANY attempts in my config's, the log file is throwing connection errors.

/opt/splunkforwarder/var/log/splunk
10-24-2013 13:05:42.808 -0700 ERROR ExecProcessor - message from "python
/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py splunk
PASSWORDREMOVED ips.olcc.state.or.us" ImportError: No module named
splunk.entity
10-24-2013 13:05:42.832 -0700 INFO ExecProcessor - Ran script: python
/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py splunk
PASSWORDREMOVED ips.olcc.state.or.us, took 147.5 milliseconds to run, 0
bytes read, exited with code 1

/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/local/inputs.conf
[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py
"splunk" "PASSREMOVED" "ips.olcc.state.or.us" ""]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog

/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/var/log
no data.

/opt/splunkforwarder/etc/system/local
[root@splunkips local]# cat outputs.conf
[tcpout:group1]
server=cave:9997

[root@splunkips local]# pwd
/opt/splunkforwarder/etc/system/local
[root@splunkips local]# cat inputs.conf
[default]
host = splunkips

gkanapathy · ‎10-30-2013

Based on your envvars, you are trying to run on a Universal Forwarder (UF). You need to run on a Lightweight Forwarder (LWF) or Heavy Forwarder (HF), or else add the Splunk python SDK libraries to the system python on the machine where the UF is running. (The SDK is available here.)

The main difference between a UF and a LWF is that the UF does not come with a Splunk python implementation (and the attendant Splunk python libraries), which is the difference you're seeing. It relies on the system python, but the system python doesn't have the Splunk libraries needed.

It's certainly possible to make it run on a UF, simply by either:

Installing the Splunk python SDK into the system python on the UF machine.
Putting the Splunk python SDK libraries into the app

Really the right solution would be for the app developer to simply include the Splunk python SDK libraries into the app itself so it comes with everything needed to run on a plain system python. This is fundamentally simple, it's simply a matter of sticking the SDK "splunk" folder into the "bin" directory where the main script that needs it is located.

fraijof · ‎10-30-2013

./splunk envvars
PATH=/opt/splunkforwarder/bin:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin ; export PATH ; SPLUNK_HOME=/opt/splunkforwarder ; export SPLUNK_HOME ; SPLUNK_DB=/opt/splunkforwarder/var/lib/splunk ; export SPLUNK_DB ; SPLUNK_SERVER_NAME=splunkforwarder ; export SPLUNK_SERVER_NAME ; SPLUNK_WEB_NAME=splunkweb ; export SPLUNK_WEB_NAME ; LD_LIBRARY_PATH=/opt/splunkforwarder/lib ; export LD_LIBRARY_PATH ; LDAPCONF=/opt/splunkforwarder/etc/openldap/ldap.conf ; export LDAPCONF

gkanapathy · ‎10-29-2013

How exactly did you install and configure the forwarder and the app. It seems to me that the environment that normally Splunk would use has been modified and so the normal Splunk python files (which is located in the site-packages for both 5 and 6) is not found. What does "/opt/splunk/bin/splunk envvars" return?

ImportError: No module named splunk.entity

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation