Installation

Getting error after upgrading Splunk Add-on for AWS on v 8.0.3.

net1993
Path Finder

After the upgrade of Splunk Add-on for AWS, there is an error message appearing in the right corner in Splunk:

Unable to initialize modular input "splunk_ta_aws_sqs" defined in the app "Splunk_TA_aws": Introspecting scheme=splunk_ta_aws_sqs: script running failed (exited with code 1)

I have disabled all inputs from default and local, even deleted inputs.conf without help.

The error is occurring only on the Search Head but I don't have data collection because data collection is occurring on a Heavy Forwarder.

Splunk is v 8.0.3 and the app is the latest version.

In the log, I see there is a script which is failing which seems like it could be an issue with python script but I don't understand why as all inputs from the add-on are disabled/removed and SH has been restarted.

Labels (5)
Tags (1)

vikramyadav
Contributor

Can you check internal log of splunk and provide some more details about error. And also can you mention form which python script you are getting error.

jbrinkman
Explorer

@vikramyadav wrote:

Can you check internal log of splunk and provide some more details about error. And also can you mention form which python script you are getting error.


Had similar issue. For whatever reason ours would only throw on the SHC members. I would go into the README directory in the app and comment out the entirety of the inputs.conf.spec. Once that was performed all alerting on stopped.

 

0000 INFO SpecFiles - Found external scheme definition for stanza="splunk_ta_aws_sqs://" from spec file="/opt/splunk/etc/apps/Splunk_TA_aws/README/inputs.conf.spec" with parameters="placeholder"

0000 ERROR ModularInputs - No script to handle scheme "splunk_ta_aws_sqs" was found. This modular input will be disabled.

0000 ERROR ModularInputs - Unable to initialize modular input "splunk_ta_aws_sqs" defined inside the app "Splunk_TA_aws": Unable to locate suitable script for introspection.

These would also fire on standalone search heads but only at startup. With the SHC members it was continuous every few minutes. Commenting out the inputs.conf.spec stopped the issue. Since the TA for the search head wasn't there to ingest data we had no concerns commenting it out.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...