Installation

Getting error after upgrading Splunk Add-on for AWS on v 8.0.3.

net1993
Path Finder

After the upgrade of Splunk Add-on for AWS, there is an error message appearing in the right corner in Splunk:

Unable to initialize modular input "splunk_ta_aws_sqs" defined in the app "Splunk_TA_aws": Introspecting scheme=splunk_ta_aws_sqs: script running failed (exited with code 1)

I have disabled all inputs from default and local, even deleted inputs.conf without help.

The error is occurring only on the Search Head but I don't have data collection because data collection is occurring on a Heavy Forwarder.

Splunk is v 8.0.3 and the app is the latest version.

In the log, I see there is a script which is failing which seems like it could be an issue with python script but I don't understand why as all inputs from the add-on are disabled/removed and SH has been restarted.

Labels (5)
Tags (1)

vikramyadav
Contributor

Can you check internal log of splunk and provide some more details about error. And also can you mention form which python script you are getting error.

jbrinkman
Explorer

@vikramyadav wrote:

Can you check internal log of splunk and provide some more details about error. And also can you mention form which python script you are getting error.


Had similar issue. For whatever reason ours would only throw on the SHC members. I would go into the README directory in the app and comment out the entirety of the inputs.conf.spec. Once that was performed all alerting on stopped.

 

0000 INFO SpecFiles - Found external scheme definition for stanza="splunk_ta_aws_sqs://" from spec file="/opt/splunk/etc/apps/Splunk_TA_aws/README/inputs.conf.spec" with parameters="placeholder"

0000 ERROR ModularInputs - No script to handle scheme "splunk_ta_aws_sqs" was found. This modular input will be disabled.

0000 ERROR ModularInputs - Unable to initialize modular input "splunk_ta_aws_sqs" defined inside the app "Splunk_TA_aws": Unable to locate suitable script for introspection.

These would also fire on standalone search heads but only at startup. With the SHC members it was continuous every few minutes. Commenting out the inputs.conf.spec stopped the issue. Since the TA for the search head wasn't there to ingest data we had no concerns commenting it out.

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...