Solved: Splunk Add-on for Microsoft Azure: Why am I gettin...

kmanson · ‎05-10-2016

Getting an error when trying to read generic Azure Storage table logs. Even tried with the Start Date/Time blank and still get the error below. Any Ideas?

05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" Traceback (most recent call last):
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"   File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 426, in <module>
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"     do_run()
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"   File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 305, in do_run
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"     dateTimeStart = dateutil.parser.parse(marker)
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"   File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 1008, in parse
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"     return DEFAULTPARSER.parse(timestr, **kwargs)
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"   File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 395, in parse
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"     raise ValueError("Unknown string format")
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" ValueError: Unknown string format

kmanson · ‎05-27-2016

From Jason Conger: Try clearing the checkpoint. To do this, stop the Splunk instance where the Azure add-on is running and type the following at the command line:

$SPLUNK_HOME/bin/splunk clean inputdata AzureStorageTable

This worked for me.

View solution in original post

kmanson · ‎05-27-2016

From Jason Conger: Try clearing the checkpoint. To do this, stop the Splunk instance where the Azure add-on is running and type the following at the command line:

$SPLUNK_HOME/bin/splunk clean inputdata AzureStorageTable

This worked for me.

jconger · ‎05-10-2016

A new version (1.2.1) is available that should address this issue.

kmanson · ‎05-12-2016

Why is it even getting to line 304 in AzureStorageTable.py? There is no marker but its logging that there is a marker.

if marker is not None:
                # If we have a marker, then we just pick up there.
                logging.debug("Marker found for table %s: %s" % (table_name, marker))
                dateTimeStart = dateutil.parser.parse(marker)

ValueError: Unknown string format
        raise ValueError("Unknown string format")
      File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 395, in parse
        return DEFAULTPARSER.parse(timestr, **kwargs)
      File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 1008, in parse
        dateTimeStart = dateutil.parser.parse(marker)
      File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 307, in do_run
        do_run()
      File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 429, in <module>
    Traceback (most recent call last):
    AzureStorageTable:306 - Marker found for table WADWindowsEventLogsTable: None
    AzureStorageTable:285 - Overriding dateTimeStart. New value = '2016-05-06 00:00:00'
    AzureStorageTable:280 - dateTimeStart = '2016-05-10T12:31:03.393043'
    AzureStorageTable:402 - XML: 'table_name' -> 'WADWindowsEventLogsTable'
    AzureStorageTable:398 - XML: found param 'table_name'
    AzureStorageTable:402 - XML: 'storage_account' -> 'REDACTED'
    AzureStorageTable:398 - XML: found param 'storage_account'
    AzureStorageTable:402 - XML: 'sourcetype' -> 'azure:storage:table'
    AzureStorageTable:398 - XML: found param 'sourcetype'
    AzureStorageTable:402 - XML: 'select_string' -> 'RawXml,Timestamp'
    AzureStorageTable:398 - XML: found param 'select_string'
    AzureStorageTable:402 - XML: 'pollingInterval' -> '60'
    AzureStorageTable:398 - XML: found param 'pollingInterval'
    AzureStorageTable:402 - XML: 'limit' -> '1000'
    AzureStorageTable:398 - XML: found param 'limit'
    AzureStorageTable:402 - XML: 'index' -> 'wineventlog'
    AzureStorageTable:398 - XML: found param 'index'
    AzureStorageTable:402 - XML: 'host' -> 'REDACTED'
    AzureStorageTable:398 - XML: found param 'host'
    AzureStorageTable:402 - XML: 'dateTimeStart' -> '2016-05-06'
    AzureStorageTable:398 - XML: found param 'dateTimeStart'
    AzureStorageTable:402 - XML: 'dateTimeColumn' -> 'Timestamp'
    AzureStorageTable:398 - XML: found param 'dateTimeColumn'
    AzureStorageTable:402 - XML: 'access_key' -> 'REDACTED'
    AzureStorageTable:398 - XML: found param 'access_key'
    AzureStorageTable:392 - XML: found stanza AzureStorageTable://REDACTED
    AzureStorageTable:387 - XML: found configuration

kmanson · ‎05-10-2016

Humm, still having the same errors. Whats the correct format for the date? I tried blank and 20160509T191536Z.

jconger · ‎05-11-2016

No date should work. But, 2016-05-09 should work as well.

Splunk Add-on for Microsoft Azure: Why am I getting Start Date/Time error "Unknown string format"?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor