All Apps and Add-ons

Cisco eStreamer eNcore Add-on for Splunk: error after installation

DomenicoFumarol
Explorer

Hi All,
following this other question we were able to configure TA Add-On, but doesn't matter how many times we were ticking the "Is enabled" box and saving, the process didn't start (having a tail -f on the FMC's messages file) on an Ubuntu installation. Only chance we had for starting it was manually (which is not the best since the process seems not going down when splunkd daemon is being shutdown).

At first the Python script seems running, saving a few MBs locally, but then crashes and goes in Error state:

$ ./splencore.sh status
status_id=-1 status="Error"

this is error message on the client side:

2017-09-05 15:33:03,256 Service      ERROR    OSError: \nTraceback (most recent call last):\n  File "./estreamer/service.py", line 179, in main\n    self.start( reprocessPkcs12 = args.pkcs12 )\n  File "./estreamer/service.py", line 148, in start\n    self._posix()\n  File "./estreamer/service.py", line 90, in _posix\n    self._loop()\n  File "./estreamer/service.py", line 67, in _loop\n    if not condition.isTrue():\n  File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/condition/splunk.py", line 33, in isTrue\n    'status' ] )\n  File "/usr/lib/python2.7/subprocess.py", line 567, in check_output\n    process = Popen(stdout=PIPE, *popenargs, **kwargs)\n  File "/usr/lib/python2.7/subprocess.py", line 711, in __init__\n    errread, errwrite)\n  File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child\n    raise child_exception\nOSError: [Errno 2] No such file or directory\n

On the FMC side instead the only error we read is this:

Sep  5 13:33:03 Server-FMC SF-IMS[14050]: [14050] EventStreamer child(IP-eStreamer-Client):sfestreamer [ERROR] Unable to receive message: General read error

Thank you for all your assistance.

0 Karma
1 Solution

sastrach
Path Finder

Hi! Have you enabled the script inputs?

Navigate to Settings > Data Inputs > Scripts and enable the three TA-eStreamer inputs (especially the second one):

  • cisco:estreamer:clean – this script has no output but is used to delete data files older than 12 hours
  • cisco:estreamer:log – this script uses the stdout of eNcore to take program log data. This becomes very useful where things are not going to plan. It also runs encore.
  • cisco:estreamer:status – this script runs periodically to maintain a clear status of whether the program is running or not

(Also navigate to Settings > Data Inputs > Files & Directories and enable the single TA-eStreamer app input (cisco:estreamer:data) – this is the where the main output data files are saved)

Running splencore.sh from the command line will not work and is not supported. The script requires that certain environment variables are set up - which is done by Splunk; without the variables, the script will fail.

View solution in original post

0 Karma

DomenicoFumarol
Explorer

Thank you, this solved the starting issue indeed, but unfortunately the eStreamer client quits with an error due to the bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve44987 for I think we need to upgrade FMC to the fixed releases.

0 Karma

sastrach
Path Finder

I'm glad we're slowly getting there. Please get in contact with TAC and send them that link - they should help you with patches.

0 Karma

sastrach
Path Finder

Hi! Have you enabled the script inputs?

Navigate to Settings > Data Inputs > Scripts and enable the three TA-eStreamer inputs (especially the second one):

  • cisco:estreamer:clean – this script has no output but is used to delete data files older than 12 hours
  • cisco:estreamer:log – this script uses the stdout of eNcore to take program log data. This becomes very useful where things are not going to plan. It also runs encore.
  • cisco:estreamer:status – this script runs periodically to maintain a clear status of whether the program is running or not

(Also navigate to Settings > Data Inputs > Files & Directories and enable the single TA-eStreamer app input (cisco:estreamer:data) – this is the where the main output data files are saved)

Running splencore.sh from the command line will not work and is not supported. The script requires that certain environment variables are set up - which is done by Splunk; without the variables, the script will fail.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...