All Apps and Add-ons

Splunk App & Add-on for AWS: Trying to add inputs, why are we getting "Unable to xml-parse the following data..."?

mikkoc
New Member

Hi there,

We are using Splunk App + Add-on for AWS, latest versions: 4.1.0 and 3.0.0.
We are behind a proxy, which we have correctly configured in the Add-on Proxy settings and etc/splunk-launch.conf.

For any Input we try to add from the App, we keep getting errors similar to these:

Unexpected error occurs. In handler 'splunk_app_aws_aws_metrics': Unable to xml-parse the following data: reply: 'HTTP/1.1 200 Connection established\r\n' send: u'GET https://monitoring.ap-northeast-1.amazonaws.com/?Action=ListMetrics&. See splunkd.log for full data.

Unexpected error occurs. In handler 'splunk_app_aws_aws_sqs': Unable to xml-parse the following data: reply: 'HTTP/1.1 200 Connection established\r\n' send: u'GET https://ap-northeast-1.queue.amazonaws.com/?Action=ListQueues&Versio. See splunkd.log for full data.

The splunkd.log has the full XML response, which looks good to me (it has all the data).

ERROR AdminManagerExternal - Received malformed XML from external handler:\nreply: 'HTTP/1.1 200 Connection established\r\n'\nsend: u'GET https://monitoring.ap-northeast-1.amazonaws.com/?Action=ListMetrics&Version=2010-08-01 HTTP/1.1\r\nAccept-Encoding: identity\r\nHost: monitoring.ap-northeast-1.amazonaws.com\r\nUser-Agent: Boto/2.38.0 Python/2.7.9 Linux/3.10.0-327.el7.x86_64\r\nContent-Length: [...]

So it looks to me like Splunk is not able to parse the responses, although they look valid to me.

Some inputs are already working correctly (Description, Billing, Cloudtrail). We just cannot get past adding those inputs that require to communicate to the AWS API at configuration time.

Is anyone using a proxy and successfully configured all the AWS services?

Thanks,
/MC

0 Karma

kchen_splunk
Splunk Employee
Splunk Employee

Please don't configure proxy in splunk-launch.conf which is not supported and may impact all AddOns, instead use the configuration UI to configure the proxy info.

0 Karma

mikkoc
New Member

We are not configuring the proxy via splunk-launch.conf
Thanks

0 Karma

kchen_splunk
Splunk Employee
Splunk Employee

Wondering what kind of configuration is done in etc/splunk-launch.conf ?

0 Karma

pchen_splunk
Splunk Employee
Splunk Employee

Hi MC

Proxy is supported in AWS App 4.1 and Add-on 3.0. Which proxy do you use? Could you post the proxy name and version? Did you get failure in all inputs, or some of the inputs?

Peter Chen

0 Karma

pchen_splunk
Splunk Employee
Splunk Employee

How many instances do you have in your environment? in case your environment is very big, the endless loading is possible. This issue is fixed in the coming release 4.2.

0 Karma

xinkaiwang
New Member

well, I run into the similar problem when trying to setup splunk app for AWS (4.1.1). I'm not using proxy of any kind, and also some inputs are already working correctly (like in-Use Reserved EC2 Instances count in Usage). We just cannot get pass setup CloudWatch. No matter what AWS account I select, no matter what regions I select, the "loading services... Please wait" ways take forever and then fail. Did I missed anything?

0 Karma

kchen_splunk
Splunk Employee
Splunk Employee

If thare are lots of instances or metrics in your env, the query will timed out eventually. Still you can go ahead to use AddOn's configuration UI to do configuration. We will fix this problem in next release.

0 Karma

mikkoc
New Member

Hi Peter,
we're using:

$ squid -v
Squid Cache: Version 3.3.8

With basic authentication.
It's happening with all the inputs, yes.

Thanks
Mikko

0 Karma

kchen_splunk
Splunk Employee
Splunk Employee

Just wondering if you can get something by using aws cli behind the Squid proxy ?

0 Karma

mikkoc
New Member

I forgot to add that we're seeing the same exact behaviour when trying to add the inputs from the AWS Add-on, rather than the App.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...