search

Cisco-AMP / amp4e_splunk_events_input

BSD 2-Clause "Simplified" License
8 stars 12 forks source link

New Input gray out #82

Open raulsilva84 opened 2 years ago

raulsilva84 commented 2 years ago

API Client ( read and write) Able to connect to export-streaming.amp.cisco.cm or api.amp.cisco.com App version: 2.0.2 Splunk Instance: 8.2.5 Event Streams: 3

Getting the following error:

2022-03-15 13:05:53,740 ERROR Amp4eEvents - ConnectionError(ProtocolError('Connection aborted.', BadStatusLine('AMQP\x00\x00\t\x01'))) 2022-03-15 13:05:53,740 ERROR Amp4eEvents - ConnectionError(ProtocolError('Connection aborted.', BadStatusLine('AMQP\x00\x00\t\x01'))) 2022-03-15 13:05:53,741 ERROR ('Connection aborted.', BadStatusLine('AMQP\x00\x00\t\x01')) 2022-03-15 13:05:53,741 ERROR Amp4eEvents - API Error (status 502): Request failure: <class 'requests.exceptions.ConnectionError'>

smalluk commented 2 years ago

I know there is a limit on the number of event streams. Try just one to start with

raulsilva84 commented 2 years ago

Hi @smalluk

Thanks for replying back to me. Indeed there is limit of number of events streams but based on the documentation, the minimum is less than 4

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215973-amp-for-endpoints-integration-with-splun.html

raulsilva84 commented 2 years ago

Hello team,

We reinstall Splunk instance, we added the configuration using api.amp.cisco.com as URL and we are seeing

2022-04-07 12:20:11,671 INFO Amp4eEvents - Received response from ApiService (200) 2022-04-07 12:20:11,671 INFO Amp4eEvents - Received response from ApiService (200) 2022-04-07 12:26:28,062 INFO Amp4eEvents - Received response from ApiService (200) 2022-04-07 12:26:28,062 INFO Amp4eEvents - Received response from ApiService (200)

However we are unable to add a new input, still showing the options for new input all gray out.

tried to run the dig however we are getting the following error:

failure encountered initializing diag extensions for app amp4e_events_input... Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/clilib/info_gather.py", line 4617, in main import_app_ext(app_info) # modifies app_info File "/opt/splunk/lib/python3.7/site-packages/splunk/clilib/info_gather.py", line 4569, in import_app_ext app_info.diag_extension_file) File "/opt/splunk/lib/python3.7/imp.py", line 171, in load_source module = _load(spec) File "", line 696, in _load File "", line 677, in _load_unlocked File "", line 728, in exec_module File "", line 219, in _call_with_frames_removed File "/opt/splunk/etc/apps/amp4e_events_input/bin/diagnosis.py", line 10, in from urlparse import urlsplit ModuleNotFoundError: No module named 'urlparse'

...proceeding Usage: splunk diag [options]

diag: error: Unknown components requested: app:amp4e_events_input

App version: 2.0.2 Splunk Instance: 8.2.5 Event Streams: 3

We appreciate any suggestion or help!

Regards,

tanazy commented 2 years ago

Hello, in the upper right corner on the New Input tab, there is a blue circle with an exclamation point inside. You need to click on it, a dialog box will pop up: "This dashboard has been updated. If you have any issues with this dashboard, contact the dashboard's owner. You can also temporarily open a previous view of this dashboard." Click on the link and a dashboard will open where you can enter data. I could only do it this way.