I'm trying to setup the TA, and have filled out all of the required fields (information taken from an azure subscription), and we aren't pulling data, but are seeing the following error messages occur
01-24-2018 14:58:48.386 +0000 ERROR ExecProcessor - message from "python /opt/app/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORacquire_token_with_client_credentials() takes exactly 4 arguments (5 given)
2018-01-24 15:00:00,624 ERROR pid=115140 tid=MainThread file=configuration_check.py:run:164 | status="completed" task="confcheck_script_errors" message="msg="A script exited abnormally" input="/opt/app/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" stanza="oms_inputs://oms_splunk" status="exited with code 1""
Any help would be appreciated. @jkat54
This app has been deprecated and a new log analytics app has replaced it. Please give the new app a try:
https://splunkbase.splunk.com/app/4127/
All previously known bugs have been addressed.
@luke75 Did the upgrade solve your problem?
Can you please upgrade to the latest version of the app (v1.2) and let me know if the problem is resolved?
https://splunkbase.splunk.com/app/3764
Thanks,
JKat
Looks like I'm still receiving the following error:
03-07-2018 19:32:48.346 +0000 ERROR ExecProcessor - message from "python /opt/app/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORGet Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS70001: Application with identifier '*' was not found in the directory a74cd446-d03c-4d05-afea-429e248a5fc4\r\nTrace ID: b8f81f70-b64b-42ad-b497-8237e9e71000\r\nCorrelation ID: f3d3d29d-cb52-4a91-8cb8-fbabdfc75cfb\r\nTimestamp: 2018-03-07 19:32:48Z","error_codes":[70001],"timestamp":"2018-03-07 19:32:48Z","trace_id":"b8f81f70-b64b-42ad-b497-8237e9e71000","correlation_id":"f3d3d29d-cb52-4a91-8cb8-fbabdfc75cfb"}
Hello Travis.
I am not 100% sure whether this is your problem, but from the error message provided it looks like you have used "*" as "Application ID" in the Splunk Input properties. This will not work for sure. Application ID and Application Key are used to authorize Splunk in Azure. You have to obtain their values in the properties of the Splunk application you have registered in Azure. Please find the step-by-step guide for registering Splunk in Azure and setting up inputs here: https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html .
Regards
Lukas
I agree with Lukas. This error message is saying you used * as your application Id. It should be something different,
Please run this search and let me know the results:
index=_internal sourcetype=splunk_python OR (sourcetype=splunkd AND oms_inputs.py)
I may have found a bug.
Can you try editing bin/oms_inputs.py lines 140 and 141?
Change:
inputname = input_name.replace("://","_")
token_response = context.acquire_token_with_client_credentials('https://management.core.windows.net/', application_id, inputname, application_key)
To:
token_response = context.acquire_token_with_client_credentials('https://management.core.windows.net/', application_id, application_key)
Then save the oms_inputs.py and see if the error goes away.
It looks like I made some error while modifying the input file, because I see the following in the Splunk log now:
03-01-2018 08:28:51.341 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORlocal variable 'data' referenced before assignment host = qa-splutil-lx01 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
03-01-2018 08:28:19.588 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py host = qa-splutil-lx01 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
@jkat54, could you please share the complete input file? Thank you very much for any help or advice!
It looks like we're getting closer. The new error I'm getting is:
03-02-2018 15:41:20.649 +0000 ERROR ExecProcessor - message from "python /opt/app/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORGet Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS70001: Application with identifier '*' was not found in the directory a74cd446-d03c-4d05-afea-429e248a5fc4\r\nTrace ID: e68d1ee2-afbd-4e6c-b520-8fa55f020a00\r\nCorrelation ID: 84105cb3-2af7-4d39-9833-5090338c8a08\r\nTimestamp: 2018-03-02 15:41:20Z","error_codes":[70001],"timestamp":"2018-03-02 15:41:20Z","trace_id":"e68d1ee2-afbd-4e6c-b520-8fa55f020a00","correlation_id":"84105cb3-2af7-4d39-9833-5090338c8a08"}
I think the reason may be because of asterisks in the Resource Group, Application ID, and Application Key. Can you provide some guidance on what might typically go into these fields. Pardon my lack of knowledge with OMS, I'm just trying to get the data into Splunk for another party.
It looks like I made some error while modifying the input file, because I see the following in the Splunk log now:
03-01-2018 08:28:51.341 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORlocal variable 'data' referenced before assignment
host = qa-splutil-lx01 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
03-01-2018 08:28:19.588 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py
host = qa-splutil-lx01 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
@jkat54, could you please share the complete input file? Thank you very much for any help or advice!
I have the same problem with the "Microsoft OMS Modular Inputs TA" application.
Here is the error from the Splunk server log:
02-20-2018 11:26:20.015 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORacquire_token_with_client_credentials() takes exactly 4 arguments (5 given)
Besides that, I only see the following lines when searching for "TA-OMS_Inputs":
02-20-2018 11:25:47.960 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py
I have reviewed "Tennant ID", "Application ID" and "Application Key" used in the Splunk input configuration (in both the UI and inputs.conf), and these values seem to be OK - they do not contain spaces or hidden characters.
Is there any way to get more verbose log, or to find out what exactly does the application send to Azure/OMS?
Any help or suggestion would be appreciated.
Many thanks, @jkat54 and anyone else willing to help!
,@jkat54,
I have the same problem with the "Microsoft OMS Modular Inputs TA" application. Here is the error from the Splunk server log:
02-20-2018 11:26:20.015 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORacquire_token_with_client_credentials() takes exactly 4 arguments (5 given)
I have reviewed "Tennant ID", "Application ID" and "Application Key" used in the Splunk input configuration (in both the UI and inputs.conf), and these values seem to be OK - they do not contain spaces or hidden characters.
Is there any way to get more verbose log, or to find out what exactly does the application send to Azure/OMS?
Any help would be appreciated. Many thanks!
@travis, Please run this search and let me know the results:
index=_internal sourcetype=splunk_python OR (sourcetype=splunkd AND oms_inputs.py)