Getting Data In

What's causing the error global name 'Event' is not defined after upgrading Microsoft OMS Modular Inputs TA from v1.2 to v1.3.3?

pete_meyers
Explorer

After upgrading from TA-OMS_Inputs from v1.2 to v1.3.3 on, splunk v6.5.4 we are getting the following errors when log retrieval is attempted. The upgrade was achieved by removing the old version and installing the new version. Log retrieval from OMS was successful with v1.2

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" Traceback (most recent call last):
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" File "/opt/splunk/etc/apps/TA-OMS_Inputs/bin/ta_oms_inputs/modinput_wrapper/base_modinput.py", line 127, in stream_events
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" self.collect_events(ew)
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" File "/opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py", line 96, in collect_events
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" input_module.collect_events(self, ew)
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" File "/opt/splunk/etc/apps/TA-OMS_Inputs/bin/input_module_oms_inputs.py", line 108, in collect_events
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" event = Event()
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" NameError: global name 'Event' is not defined
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORglobal name 'Event' is not defined

@jkat54 are you able to advise.

1 Solution

damien_chillet
Builder

Hi Pete,

I took a quick look at the code for the latest version .
I believe this error message is due to a missing import statement in input_module_oms_inputs.py

The missing import would be:

from splunklib.modularinput import *

which holds definition of the Event class.

Not sure if your tag was taken into account there, so I'll tag the author again so he can have a look and confirm if that is indeed the problem.

@jkat54

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Almost looks as if it’s failing to populate a variable called Event. Which makes me think something else is failing.

I have an even newer version of the app in development on my machine so I can’t load the old one to test just yet.

Can you tell me what this search reveals?

index=_internal source=*oms*
0 Karma

pete_meyers
Explorer

Hi Michael,

Here's the anonymized contents of /opt/splunk/var/log/splunk/ta_oms_inputs_oms_inputs.log with debug logging enabled for the add-on

2018-xx-xx xx:28:33,494 INFO pid=36937 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-xx-xx xx:28:35,251 INFO pid=36937 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-xx-xx xx:28:38,184 INFO pid=36937 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-xx-xx xx:28:41,160 INFO pid=36937 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2018-xx-xx xx:28:41,160 DEBUG pid=36937 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-OMS_Inputs/storage/collections/config/TA_OMS_Inputs_chec... (body: {})
2018-xx-xx xx:28:41,161 INFO pid=36937 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-xx-xx xx:28:41,171 DEBUG pid=36937 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-OMS_Inputs/storage/collections/config/TA_OMS_Inputs_checkpointer HTTP/1.1" 200 5526
2018-xx-xx xx:28:41,172 DEBUG pid=36937 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.011681
2018-xx-xx xx:28:41,172 DEBUG pid=36937 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-OMS_Inputs/storage/collections/config/ (body: {'offset': 0, 'search': 'TA_OMS_Inputs_checkpointer', 'count': -1})
2018-xx-xx xx:28:41,175 DEBUG pid=36937 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-OMS_Inputs/storage/collections/config/?offset=0&search=TA_OMS_Inputs_checkpointer&count=-1 HTTP/1.1" 200 4724
2018-xx-xx xx:28:41,177 DEBUG pid=36937 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005082
2018-xx-xx xx:28:41,179 DEBUG pid=36937 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-OMS_Inputs/storage/collections/data/TA_OMS_Inputs_checkp... (body: {})
2018-xx-xx xx:28:41,181 DEBUG pid=36937 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-OMS_Inputs/storage/collections/data/TA_OMS_Inputs_checkpointer/last_date HTTP/1.1" 404 140
2018-xx-xx xx:28:41,192 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - Authority:Performing instance discovery: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2018-xx-xx xx:28:41,192 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - Authority:Performing static instance discovery
2018-xx-xx xx:28:41,192 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - Authority:Authority validated via static instance discovery
2018-xx-xx xx:28:41,193 INFO pid=36937 tid=MainThread file=log.py:info:103 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - TokenRequest:Getting token with client credentials.
2018-xx-xx xx:28:41,193 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - TokenRequest:No user_id passed for cache query
2018-xx-xx xx:28:41,193 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - OAuth2Client:finding with query: {"_clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}
2018-xx-xx xx:28:41,193 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - OAuth2Client:Looking for potential cache entries:
2018-xx-xx xx:28:41,193 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - OAuth2Client:{"_clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}
2018-xx-xx xx:28:41,193 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - OAuth2Client:Found 0 potential entries.
2018-xx-xx xx:28:41,207 DEBUG pid=36937 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): login.microsoftonline.com
2018-xx-xx xx:28:41,383 DEBUG pid=36937 tid=MainThread file=connectionpool.py:_make_request:400 | https://login.microsoftonline.com:443 "POST /xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/token?api-version=1.0 HTTP/1.1" 200 1376
2018-xx-xx xx:28:41,386 INFO pid=36937 tid=MainThread file=log.py:info:103 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - OAuth2Client:Get Token Server returned this correlation_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2018-xx-xx xx:28:41,387 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - OAuth2Client:Adding entry AccessTokenId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2018-xx-xx xx:28:41,391 DEBUG pid=36937 tid=MainThread file=log.py:debug:108 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - OAuth2Client:Added entry is MRRT
2018-xx-xx xx:28:41,393 DEBUG pid=36937 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): management.azure.com
2018-xx-xx xx:28:43,433 DEBUG pid=36937 tid=MainThread file=connectionpool.py:_make_request:400 | https://management.azure.com:443 "POST /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/x-xxx-xx-xxxx-xxx-xx/providers/Microsoft.OperationalInsights/workspaces/xxxxxx-xxx-xxxxx/search?api-version=2017-04-26-preview HTTP/1.1" 200 None
2018-xx-xx xx:28:43,465 DEBUG pid=36937 tid=MainThread file=base_modinput.py:log_debug:286 | OMSInputName="PCEtest" status="200" step="Post Query" search_params="{'start': '2018-xx-xxT00:00:00', 'top': '1000', 'query': 'Type=xxxxxxxxx', 'end': '2018-xx-xxTxx:28:41'}'
2018-xx-xx xx:28:43,619 ERROR pid=36937 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-OMS_Inputs/bin/ta_oms_inputs/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py", line 96, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-OMS_Inputs/bin/input_module_oms_inputs.py", line 108, in collect_events
event = Event()
NameError: global name 'Event' is not defined

0 Karma

damien_chillet
Builder

Hi Pete,

I took a quick look at the code for the latest version .
I believe this error message is due to a missing import statement in input_module_oms_inputs.py

The missing import would be:

from splunklib.modularinput import *

which holds definition of the Event class.

Not sure if your tag was taken into account there, so I'll tag the author again so he can have a look and confirm if that is indeed the problem.

@jkat54

jkat54
SplunkTrust
SplunkTrust

Thanks for tagging me

0 Karma

pete_meyers
Explorer

Hi Damien,

Thanks for the reply

Adding the missing import on line 5 of input_module_oms_inputs.py did the trick.

Collection is now successful.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Not sure how this happened. I’m using the add-on builder to package this thing...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...