All Apps and Add-ons

Splunk for netwitness is not working.

happy035
Explorer

Hi there,

I installed splunk for netwitness and set up all configuration. But It's not working well.
Error log is below.
"ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness/bin/nwsdk.py" 2013-Mar-12 18:04:35 - INFO: No new sessions to read from http://netbox_IP:50105/

And then my splunk box info is here.
Linux 3.5.0-25-generic #39~precise1-Ubuntu SMP Tue Feb 26 00:07:14 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

when I ping to netwitness, everything is OK. my config file which named nwsdk.conf located in /opt/splunk/etc/apps/netwitness/local/nwsdk.conf.
I have no idea why this app was not worked from my linux box.

1 Solution

rataide
Path Finder

Hi,

The message suggests that you can connect to your NW device correctly, the app just thinks there's no new data that needs to be read, is this a busy system or a test system with no new data constantly flowing into it?

Also, please check if the last_sid_file (default: /var/tmp/.last_sessionid) exists, if so its contents might be corrupted and the value in there could be larger than the latest session ID on the NetWitness DB.

If that's the case, simply deleting the file should force a restart of data collection based on the latest 5 minutes of events on the NW DB.

Are there any other error messages from when the application first started?

You can also run it from the command line to check for errors using the $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/netwitness/bin/nwdsdk.py command, if needed but if it's successful the output might be rather large.

Hope that helps! If not please let me know and I'll try to assist further.

Thank you,

Rui

View solution in original post

rataide
Path Finder

Hi,

The message suggests that you can connect to your NW device correctly, the app just thinks there's no new data that needs to be read, is this a busy system or a test system with no new data constantly flowing into it?

Also, please check if the last_sid_file (default: /var/tmp/.last_sessionid) exists, if so its contents might be corrupted and the value in there could be larger than the latest session ID on the NetWitness DB.

If that's the case, simply deleting the file should force a restart of data collection based on the latest 5 minutes of events on the NW DB.

Are there any other error messages from when the application first started?

You can also run it from the command line to check for errors using the $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/netwitness/bin/nwdsdk.py command, if needed but if it's successful the output might be rather large.

Hope that helps! If not please let me know and I'll try to assist further.

Thank you,

Rui

rataide
Path Finder

Great! Glad to hear you got it sorted.

Thank you for letting me know!

0 Karma

happy035
Explorer

Thank you for your kind answer, Rui. I did success running this app. As your thought, no_sid_file config valuse may some problem. But I am not sure that. I changed no_sid_file value from -2 to 0.
After that I can watch all data. Thank you for your help.
Regards,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...