- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Cisco AMP for Endpoints Events Input - why am I no...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco AMP for Endpoints Events Input - why am I not getting any data in the "New Input" tab?
I am running Splunk Version 6.5.0 on Linux
I have installed Cisco AMP for Endpoints Events Input (https://splunkbase.splunk.com/app/3670/) on my indexer and filled out the configuration field with my API host , API id, and API key. However, when I go to the "new inputs" tab it just says "please wait..." nothing is populating within the app. I can make an API call using curl and see that I can get data from Cisco AMP for endpoints. Has anybody else had this problem with the app or a potential solution? Any help would be most appreciated!
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey kbabwah,
I am going through this right now myself.
In this file:
$SPLUNK_HOME/etc/apps/amp4e_events_input/appserver/controllers/amp_streams_api_controller.py
find the line #11:
sys.path.append(make_splunkhome_path(["etc", "apps", "amp4e_events_input", "bin"]))
replace it with:
sys.path.insert(0, make_splunkhome_path(["etc", "apps", "amp4e_events_input", "bin"]))
Afterwards, please restart your Splunk instance and check if the issue persists.
source:
https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have reviewed github and made that revision but nothing happened. It is also very weird that I have no log data about it in splunkd.log. it seems to just not doing anything once I put the configurations in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you configuring this on a forwarder or on one of your searcheads? After making the change and restarting Splunk, "$SPLUNK_HOME/bin/splunk restart" it fixed the boxes being grayed out, and allowed me to add inputs.
Unfortunately im unable to help too much beyond that. The app is developer supported, and their contact address is on their app page in splunkbase. I got a response back within a day or two and they were very helpful.
I worked with one of their developers yesterday and he mentioned compatability issues with Splunk 7, so if it is on a forwarder or serchead running 7.x, may i suggest moving it to one running 6.x if possible.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
