Getting Data In

ImportError: No module named splunk.entity

fraijof
Explorer

I'm running Splunk ver 6 on my current server. There is a known bug with CiscoIPS so I was recommended I create a new VM and load splunkforwarder ver 5.0.5 and push IPS data to my
Splunk 6 server. After MANY attempts in my config's, the log file is throwing connection errors.

/opt/splunkforwarder/var/log/splunk
10-24-2013 13:05:42.808 -0700 ERROR ExecProcessor - message from "python
/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py splunk
PASSWORDREMOVED ips.olcc.state.or.us" ImportError: No module named
splunk.entity
10-24-2013 13:05:42.832 -0700 INFO ExecProcessor - Ran script: python
/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py splunk
PASSWORDREMOVED ips.olcc.state.or.us, took 147.5 milliseconds to run, 0
bytes read, exited with code 1

/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/local/inputs.conf
[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py
"splunk" "PASSREMOVED" "ips.olcc.state.or.us" ""]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog

/opt/splunkforwarder/etc/apps/Splunk_CiscoIPS/var/log
no data.

/opt/splunkforwarder/etc/system/local
[root@splunkips local]# cat outputs.conf
[tcpout:group1]
server=cave:9997

[root@splunkips local]# pwd
/opt/splunkforwarder/etc/system/local
[root@splunkips local]# cat inputs.conf
[default]
host = splunkips

Tags (1)

gkanapathy
Splunk Employee
Splunk Employee

Based on your envvars, you are trying to run on a Universal Forwarder (UF). You need to run on a Lightweight Forwarder (LWF) or Heavy Forwarder (HF), or else add the Splunk python SDK libraries to the system python on the machine where the UF is running. (The SDK is available here.)

The main difference between a UF and a LWF is that the UF does not come with a Splunk python implementation (and the attendant Splunk python libraries), which is the difference you're seeing. It relies on the system python, but the system python doesn't have the Splunk libraries needed.

It's certainly possible to make it run on a UF, simply by either:

  • Installing the Splunk python SDK into the system python on the UF machine.
  • Putting the Splunk python SDK libraries into the app

Really the right solution would be for the app developer to simply include the Splunk python SDK libraries into the app itself so it comes with everything needed to run on a plain system python. This is fundamentally simple, it's simply a matter of sticking the SDK "splunk" folder into the "bin" directory where the main script that needs it is located.

fraijof
Explorer

./splunk envvars
PATH=/opt/splunkforwarder/bin:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin ; export PATH ; SPLUNK_HOME=/opt/splunkforwarder ; export SPLUNK_HOME ; SPLUNK_DB=/opt/splunkforwarder/var/lib/splunk ; export SPLUNK_DB ; SPLUNK_SERVER_NAME=splunkforwarder ; export SPLUNK_SERVER_NAME ; SPLUNK_WEB_NAME=splunkweb ; export SPLUNK_WEB_NAME ; LD_LIBRARY_PATH=/opt/splunkforwarder/lib ; export LD_LIBRARY_PATH ; LDAPCONF=/opt/splunkforwarder/etc/openldap/ldap.conf ; export LDAPCONF

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

How exactly did you install and configure the forwarder and the app. It seems to me that the environment that normally Splunk would use has been modified and so the normal Splunk python files (which is located in the site-packages for both 5 and 6) is not found. What does "/opt/splunk/bin/splunk envvars" return?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...