Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ImportError: No module named splunk.entity

fraijof
Explorer
‎10-25-2013 08:18 AM

I'm running Splunk ver 6 on my current server. There is a known bug with CiscoIPS so I was recommended I create a new VM and load splunkforwarder ver 5.0.5 and push IPS data to my
Splunk 6 server. After MANY attempts in my config's, the log file is throwing connection errors.

/opt/splunkforwarder/var/log/splunk
10-24-2013 13:05:42.808 -0700 ERROR ExecProcessor - message from "python
/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py splunk
PASSWORDREMOVED ips.olcc.state.or.us" ImportError: No module named
splunk.entity
10-24-2013 13:05:42.832 -0700 INFO ExecProcessor - Ran script: python
/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py splunk
PASSWORDREMOVED ips.olcc.state.or.us, took 147.5 milliseconds to run, 0
bytes read, exited with code 1

/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/local/inputs.conf
[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py
"splunk" "PASSREMOVED" "ips.olcc.state.or.us" ""]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog

/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/var/log
no data.

/opt/splunkforwarder/etc/system/local
[root@splunkips local]# cat outputs.conf
[tcpout:group1]
server=cave:9997

[root@splunkips local]# pwd
/opt/splunkforwarder/etc/system/local
[root@splunkips local]# cat inputs.conf
[default]
host = splunkips

Tags (1)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-30-2013 10:07 AM

Based on your envvars, you are trying to run on a Universal Forwarder (UF). You need to run on a Lightweight Forwarder (LWF) or Heavy Forwarder (HF), or else add the Splunk python SDK libraries to the system python on the machine where the UF is running. (The SDK is available here.)

The main difference between a UF and a LWF is that the UF does not come with a Splunk python implementation (and the attendant Splunk python libraries), which is the difference you're seeing. It relies on the system python, but the system python doesn't have the Splunk libraries needed.

It's certainly possible to make it run on a UF, simply by either:

  • Installing the Splunk python SDK into the system python on the UF machine.
  • Putting the Splunk python SDK libraries into the app

Really the right solution would be for the app developer to simply include the Splunk python SDK libraries into the app itself so it comes with everything needed to run on a plain system python. This is fundamentally simple, it's simply a matter of sticking the SDK "splunk" folder into the "bin" directory where the main script that needs it is located.

Reply

fraijof
Explorer
‎10-30-2013 09:05 AM

./splunk envvars
PATH=/opt/splunkforwarder/bin:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin ; export PATH ; SPLUNK_HOME=/opt/splunkforwarder ; export SPLUNK_HOME ; SPLUNK_DB=/opt/splunkforwarder/var/lib/splunk ; export SPLUNK_DB ; SPLUNK_SERVER_NAME=splunkforwarder ; export SPLUNK_SERVER_NAME ; SPLUNK_WEB_NAME=splunkweb ; export SPLUNK_WEB_NAME ; LD_LIBRARY_PATH=/opt/splunkforwarder/lib ; export LD_LIBRARY_PATH ; LDAPCONF=/opt/splunkforwarder/etc/openldap/ldap.conf ; export LDAPCONF

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-29-2013 07:23 PM

How exactly did you install and configure the forwarder and the app. It seems to me that the environment that normally Splunk would use has been modified and so the normal Splunk python files (which is located in the site-packages for both 5 and 6) is not found. What does "/opt/splunk/bin/splunk envvars" return?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...