Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting error after upgrading Splunk Add-on for AWS on v 8.0.3.

net1993
Path Finder
‎09-17-2020 04:10 AM

After the upgrade of Splunk Add-on for AWS, there is an error message appearing in the right corner in Splunk:

Unable to initialize modular input "splunk_ta_aws_sqs" defined in the app "Splunk_TA_aws": Introspecting scheme=splunk_ta_aws_sqs: script running failed (exited with code 1)

I have disabled all inputs from default and local, even deleted inputs.conf without help.

The error is occurring only on the Search Head but I don't have data collection because data collection is occurring on a Heavy Forwarder.

Splunk is v 8.0.3 and the app is the latest version.

In the log, I see there is a script which is failing which seems like it could be an issue with python script but I don't understand why as all inputs from the add-on are disabled/removed and SH has been restarted.

Labels (5)
Tags (1)
Reply

vikramyadav
Contributor
‎09-25-2020 05:12 PM

Can you check internal log of splunk and provide some more details about error. And also can you mention form which python script you are getting error.

Reply

jbrinkman
Explorer
‎11-24-2020 02:49 PM
@vikramyadav wrote:

Can you check internal log of splunk and provide some more details about error. And also can you mention form which python script you are getting error.

Had similar issue. For whatever reason ours would only throw on the SHC members. I would go into the README directory in the app and comment out the entirety of the inputs.conf.spec. Once that was performed all alerting on stopped.

 

0000 INFO SpecFiles - Found external scheme definition for stanza="splunk_ta_aws_sqs://" from spec file="/opt/splunk/etc/apps/Splunk_TA_aws/README/inputs.conf.spec" with parameters="placeholder"

0000 ERROR ModularInputs - No script to handle scheme "splunk_ta_aws_sqs" was found. This modular input will be disabled.

0000 ERROR ModularInputs - Unable to initialize modular input "splunk_ta_aws_sqs" defined inside the app "Splunk_TA_aws": Unable to locate suitable script for introspection.

These would also fire on standalone search heads but only at startup. With the SHC members it was continuous every few minutes. Commenting out the inputs.conf.spec stopped the issue. Since the TA for the search head wasn't there to ingest data we had no concerns commenting it out.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...