All Apps and Add-ons

SolarWinds Add-on for Splunk status=400

jaxjohnny2000
Builder

This is reference to the SolarWinds Add-on for Splunk - SolarWinds Add-on for Splunk | Splunkbase

@ehaddad_splunk   Is there a limit to the structure or size of the SWQL?  

I can get Alerts, inventory, and simple queries no issue.  But when I run a complex search, I get status=400

The search below works inside the SWQL Studio

SELECT IPAddress1, IPAddress2, CASE WHEN IPAddress1 IS NULL THEN NULL ELSE H1.Hostname END AS Hostname1, CASE WHEN IPAddress2 IS NULL THEN NULL ELSE H2.Hostname END AS Hostname2, TotalBytesIngress, TotalPacketsIngress, TotalBytesEgress, TotalPacketsEgress, TotalBytesIngress + TotalBytesEgress AS TotalBytes, TotalPacketsIngress + TotalPacketsEgress AS TotalPackets FROM (SELECT TOP 10 SourceIP AS IPAddress1, DestinationIP AS IPAddress2, MAX(SourceHostnameID) AS HostnameID1, MAX(DestinationHostnameID) AS HostnameID2,SUM(IngressBytes) AS TotalBytesIngress, SUM(IngressPackets) AS TotalPacketsIngress, SUM(EgressBytes) AS TotalBytesEgress, SUM(EgressPackets) AS TotalPacketsEgress, SUM(IngressBytes) + SUM(EgressBytes) AS TotalBytes, SUM(IngressPackets) + SUM(EgressPackets) AS TotalPackets FROM Orion.Netflow.FlowsByConversation Flows WHERE (Timestamp >= (GetUTCDate() - 0.04167)) GROUP BY (SourceIP, DestinationIP) ORDER BY TotalBytes DESC) OuterFlows LEFT JOIN Orion.Netflow.Hostnames AS H1 ON H1.ID = OuterFlows.HostnameID1 LEFT JOIN Orion.Netflow.Hostnames AS H2 ON H2.ID = OuterFlows.HostnameID2 ORDER BY TotalBytes DESC, IPAddress1 ASC, IPAddress2 ASC
 
The error message returns is: 
 

2021-03-18 11:43:11,872 +0000 log_level=ERRORpid=30166tid=Thread-4file=engine.pyfunc_name=_send_requestcode_line_no=325 | [stanza_name="test_001"] The response status=400 for request which url=https://10.1.2.21:17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT IPAddress1IPAddress2CASE WHEN IPAddress1 IS NULL THEN NULL ELSE H1.Hostname END AS Hostname1CASE WHEN IPAddress2 IS NULL THEN NULL ELSE H2.Hostname END AS Hostname2TotalBytesIngressTotalPacketsIngressTotalBytesEgressTotalPacketsEgressTotalBytesIngress + TotalBytesEgress AS TotalBytesTotalPacketsIngress + TotalPacketsEgress AS TotalPackets FROM (SELECT TOP 10 SourceIP AS IPAddress1DestinationIP AS IPAddress2MAX(SourceHostnameIDAS HostnameID1MAX(DestinationHostnameIDAS HostnameID2,SUM(IngressBytesAS TotalBytesIngressSUM(IngressPacketsAS TotalPacketsIngressSUM(EgressBytesAS TotalBytesEgressSUM(EgressPacketsAS TotalPacketsEgressSUM(IngressBytes) + SUM(EgressBytesAS TotalBytesSUM(IngressPackets) + SUM(EgressPacketsAS TotalPackets FROM Orion.Netflow.FlowsByConversation Flows WHERE (Timestamp >= (GetUTCDate() - 0.04167)) GROUP BY (SourceIPDestinationIPORDER BY TotalBytes DESCOuterFlows LEFT JOIN Orion.Netflow.Hostnames AS H1 ON H1.ID = OuterFlows.HostnameID1 LEFT JOIN Orion.Netflow.Hostnames AS H2 ON H2.ID = OuterFlows.HostnameID2 ORDER BY TotalBytes DESCIPAddress1 ASCIPAddress2 ASC and method=GET.


However, this one works fine as a successful search: 

2021-03-18 11:55:37,398 +0000 log_level=INFOpid=12462tid=Thread-4file=http.pyfunc_name=requestcode_line_no=169 | [stanza_name="test_002"] Invoking request to [https://10.1.2.1:17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT%20Caption%20AS%20NodeName,%20IPAddress%20FROM%20Orion.Nodesfinished

Labels (1)
Tags (1)
0 Karma
1 Solution

jaxjohnny2000
Builder

Ok, just for the record, simply replacing the + sign with %2B in the string before creating the input works.

So, what i paste in the tiny input box is below.  notice the %2B.  The add-on nor python will remove that code, it leaves it in place.  whew! 

SELECT IPAddress1, IPAddress2, CASE WHEN IPAddress1 IS NULL THEN NULL ELSE H1.Hostname END AS Hostname1, CASE WHEN IPAddress2 IS NULL THEN NULL ELSE H2.Hostname END AS Hostname2, TotalBytesIngress, TotalPacketsIngress, TotalBytesEgress, TotalPacketsEgress, TotalBytesIngress %2B TotalBytesEgress AS TotalBytes, TotalPacketsIngress %2B TotalPacketsEgress AS TotalPackets FROM (SELECT TOP 10 SourceIP AS IPAddress1, DestinationIP AS IPAddress2, MAX(SourceHostnameID) AS HostnameID1, MAX(DestinationHostnameID) AS HostnameID2, SUM(IngressBytes) AS TotalBytesIngress, SUM(IngressPackets) AS TotalPacketsIngress, SUM(EgressBytes) AS TotalBytesEgress, SUM(EgressPackets) AS TotalPacketsEgress, SUM(IngressBytes) %2B SUM(EgressBytes) AS TotalBytes, SUM(IngressPackets) %2B SUM(EgressPackets) AS TotalPackets FROM Orion.Netflow.FlowsByConversation Flows WHERE (Timestamp >= (GetUTCDate() - 0.04167)) GROUP BY (SourceIP, DestinationIP) ORDER BY TotalBytes DESC ) OuterFlows LEFT JOIN Orion.Netflow.Hostnames AS H1 ON H1.ID = OuterFlows.HostnameID1 LEFT JOIN Orion.Netflow.Hostnames AS H2 ON H2.ID = OuterFlows.HostnameID2 ORDER BY TotalBytes DESC, IPAddress1 ASC, IPAddress2 ASC

 

 

 

 

View solution in original post

0 Karma

jaxjohnny2000
Builder

Ok, just for the record, simply replacing the + sign with %2B in the string before creating the input works.

So, what i paste in the tiny input box is below.  notice the %2B.  The add-on nor python will remove that code, it leaves it in place.  whew! 

SELECT IPAddress1, IPAddress2, CASE WHEN IPAddress1 IS NULL THEN NULL ELSE H1.Hostname END AS Hostname1, CASE WHEN IPAddress2 IS NULL THEN NULL ELSE H2.Hostname END AS Hostname2, TotalBytesIngress, TotalPacketsIngress, TotalBytesEgress, TotalPacketsEgress, TotalBytesIngress %2B TotalBytesEgress AS TotalBytes, TotalPacketsIngress %2B TotalPacketsEgress AS TotalPackets FROM (SELECT TOP 10 SourceIP AS IPAddress1, DestinationIP AS IPAddress2, MAX(SourceHostnameID) AS HostnameID1, MAX(DestinationHostnameID) AS HostnameID2, SUM(IngressBytes) AS TotalBytesIngress, SUM(IngressPackets) AS TotalPacketsIngress, SUM(EgressBytes) AS TotalBytesEgress, SUM(EgressPackets) AS TotalPacketsEgress, SUM(IngressBytes) %2B SUM(EgressBytes) AS TotalBytes, SUM(IngressPackets) %2B SUM(EgressPackets) AS TotalPackets FROM Orion.Netflow.FlowsByConversation Flows WHERE (Timestamp >= (GetUTCDate() - 0.04167)) GROUP BY (SourceIP, DestinationIP) ORDER BY TotalBytes DESC ) OuterFlows LEFT JOIN Orion.Netflow.Hostnames AS H1 ON H1.ID = OuterFlows.HostnameID1 LEFT JOIN Orion.Netflow.Hostnames AS H2 ON H2.ID = OuterFlows.HostnameID2 ORDER BY TotalBytes DESC, IPAddress1 ASC, IPAddress2 ASC

 

 

 

 

View solution in original post

0 Karma

jaxjohnny2000
Builder

Thank you so much for responding.  I'll try to avoid the + sign.   But we do need to add those values

0 Karma

jaxjohnny2000
Builder

update:
@ehaddad_splunk 

the API does not like the "+" signs.   This customer had a similar experience: (1) no viable alternative at input ' FROM' in SELECT Clause - Forum - Network Performance Monitor (N...


here is my issue now.  If use the plus (+) sign in the input gui, the add-on does not convert it to to HTML code like it does for the greater than (>) sign.  If I put a > (greater than) sign in the GUI, the add-on will convert that to >   This is correct and pushed the html to the http api,

So, I tried to convert it myself before placing in the GUI.  I substituted + with +

Now the GUI will replace + with &amp#43;

This happens if I use the GUI or the CLI inputs.conf.

 

what can I do so that the GUI will send the + sign in proper html code? 

 

 

 

 

 

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

The url conversaion is natively done by the python library used in the input. The link ref from the solarwinds addon states to avoid using the +. Any chance you can use an alternative query without the use  of +. Maybe you can compute the addition on the splunk side at search time? 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!