I have installed the Netwitness query app. Configured the credentials, tested the REST api call using CURL and am still receiving the below errors when enabling the app on my search head. Any thoughts or inputs on this issue?
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness_query/bin/nwsdk_query.py" 2017-Feb-28 18:58:25 - ERROR: Couldn't read authentication details PassAuth or from nwsdk_query.conf.
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness_query/bin/nwsdk_query.py" No handlers could be found for logger "splunk.rest.format"
Here is what I get when running the python script in the CLI.
python nwsdk_query.py
Traceback (most recent call last):
File "nwsdk_query.py", line 308, in
from splunk.clilib.cli_common import getMergedConf
ImportError: No module named splunk.clilib.cli_common
Hi All,
It turns out this is related to the use of single sign-on and PassAuth, if you are using single sign-on for now the only option is to configure your NetWitness credentials in the configuration file.
I do see the irony in it but unfortunately I'm not sure if/how I will be able to address it. Maybe someone from Splunk can pitch in here with what would be the solution in these cases.
Thank you,
Rui
Hi All,
It turns out this is related to the use of single sign-on and PassAuth, if you are using single sign-on for now the only option is to configure your NetWitness credentials in the configuration file.
I do see the irony in it but unfortunately I'm not sure if/how I will be able to address it. Maybe someone from Splunk can pitch in here with what would be the solution in these cases.
Thank you,
Rui
Thanks again for your assistance with troubleshooting this!
Hi,
That is now a different issue, it seems like the URL for the REST API the script should connect to is missing from the configuration file. The library error is now no longer an issue.
The TOP_LEVEL_URL should look something like http(s)://IP_OF_Broker_or_Concentrator:Port/
Hope this helps!
Thank you,
Rui
Hm, I am a bit confused as I have input the top_level_url in /local/nwsdk_query.conf. I am able to curl the URL with no issues.
[rest]
top_level_url=http://10.0.0.0:50103/
username=admin
password=netwitness
last_mid_file=/opt/splunk/etc/apps/netwitness_query/local/last_mid.query
query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where service=80
max_meta=2500
sleep=5
verbose=True
I'm wondering if there's a permissions issue or a problem with the filename... that is causing the access to it to fail. But it's even stranger as it should at least read the one in the default directory...
The library being used is Splunk's default library to process configuration files that would merge default and local files with the same name.
My email is the code if you prefer to reach out to me directly with file details and directory listings or other more sensitive information, please feel free to use it.
Thank you,
Rui
Hi Rui,
I ran the script and received the below error. I also tried while hardcoding the credentials in the script with no luck.
./splunk cmd python /opt/splunk/etc/apps/netwitness_query/bin/nwsdk_query.py
2017-Mar-02 01:19:01 - ERROR: Couldn't read TOP_LEVEL_URL from nwsdk_query.conf.
Are you running it with ./splunk cmd python script_path ? Sorry markup messed my first reply.
That library is exclusive to Splunk's python distribution. Could it be that the script is running with the system python distribution instead of Splunk's too?
Alternatively, just try with the credentials on the script that should always work, although that library is still required to read the configuration file.
Hope this helps!
Regards,
Rui