Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Errors feeding Arcsight with Splunk search results using Splunk Real-Time Output app

Thuan
Explorer
‎07-17-2014 02:23 PM

I am trying to feed Arcsight with the results of a Splunk search using the real time output app. I get the following error message.

_time log severity raw
21 7/17/14 4:35:36.214 PM rtoutput.log ERROR [Errno -2] Name or service not known Traceback (most recent call last): File "/opt/splunk/etc/apps/SplunkRealTimeOutput/bin/scripted_inputs/rtoutput.py", line 462, in asyncore.loop(use_poll=True) File "/opt/splunk/lib/python2.7/asyncore.py", line 216, in loop poll_fun(timeout, map) File "/opt/splunk/lib/python2.7/asyncore.py", line 201, in poll2 readwrite(obj, flags) File "/opt/splunk/lib/python2.7/asyncore.py", line 117, in readwrite obj.handle_error() File "/opt/splunk/lib/python2.7/asyncore.py", line 503, in handle_error self.handle_close() File "/opt/splunk/etc/apps/SplunkRealTimeOutput/bin/real_time_output/clients/httpsclient.py", line 235, in handle_close self.handle_parse_chunked(self.linebuffer) File "/opt/splunk/etc/apps/SplunkRealTimeOutput/bin/real_time_output/clients/httpsclient.py", line 333, in handle_parse_chunked self.reset_and_callback() File "/opt/splunk/etc/apps/SplunkRealTimeOutput/bin/real_time_output/clients/httpsclient.py", line 472, in reset_and_callback self.callback(result) File "/opt/splunk/etc/apps/SplunkRealTimeOutput/bin/scripted_inputs/rtoutput.py", line 330, in _cb_syslog sent = syslog.send(output.formatted_events) File "/opt/splunk/etc/apps/SplunkRealTimeOutput/bin/scripted_inputs/rtoutput.py", line 240, in send self.socket.sendto(message, self.address) gaierror: [Errno -2] Name or service not known

Question 1 - The search produces many fields. What happens when these fields not match with any of the CEF fields found ceftool.py? Should I restrict the numbers of fields from the search result to the ones that have a match in ceftool.py ?

Question 2 - the RTO app seems to provide different names than the ones found in ceftool.py?

Question 3 - What is the meaning of the listed error message?

0 Karma
Reply

areber04
Explorer
‎07-28-2014 12:47 PM
  1. You map the Splunk fields to the CEF fields, anything that isn't mapped to a CEF field (either manually via "cef_field_map" or automatically in ceftool.py) won't be in the CEF event.
  2. The RTO app shows the fields that Splunk found during the search on the left and the CEF fields defined in ceftool.py on the right. I modified my ceftool.py to contain every CEF field that is defined in the CEF standard, since ceftool.py is missing a large number of them. I also mapped CIM standard fields to the majority of the CEF fields.
  3. I believe that means that it is unable to resolve the hostname that you are using, though there are many reasons for gaierror to be thrown. Something is causing the socket to be unable to connect. Wrong port, wrong address, wrong permissions, could be many things.
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...