quickchart / hostnames not populated

[pmeyerson]

Hi! I was very excited to hear about this project! I am ingesting my RRD values into Splunk OK but I do not seem to be getting the lookup data. no cacti:lookup:mirage events in splunk and the quick charts dash has no events and drop-downs say 'no results' or 'could not create search'.

I notice that the inputs.conf references a bin/cacti_lookup_mirage.py and I could not find this file nor the /bin. My cacti is installed in /var/www/html.

Any ides on what the issue could be or where I can start troubleshooting?

Thank you!

Apologies if this is filed in the wrong place - new to git.

[mr-menno]

Did you put the Splunk forwarder on the Cacti server? And did you add the Cacti Mirage Add-on onto the Splunk forwarder?

On Apr 20, 2016, at 2:54 PM, pmeyerson notifications@github.com wrote:

Hi! I was very excited to hear about this project! I am ingesting my RRD values into Splunk OK but I do not seem to be getting the lookup data. no cacti:lookup:mirage events in splunk and the quick charts dash has no events and drop-downs say 'no results' or 'could not create search'.

I notice that the inputs.conf references a bin/cacti_lookup_mirage.py and I could not find this file nor the /bin. My cacti is installed in /var/www/html.

Any ides on what the issue could be or where I can start troubleshooting?

Thank you!

Apologies if this is filed in the wrong place - new to git.

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub

[pmeyerson]

I did, it looks like the permissions might not have been correct on cacti_lookup_mirage.py, it was missing execute permission. I adjusted that and report back.

Thank you.

[pmeyerson]

My cacti_lookup_mirage.csv file is not being updated, it has the field names but none of my data in.

I left the packaged inputs.conf in /splunkforwarder/etc/apps/Splunk_TA/Cacti/default, copied it to /splunkforwarder/etc/system/local, and modifed it to:

[default] host=hococacti01.hoconet.net

[monitor:///var/www/html/log/mirage_poller_output.log*] disabled = false index = cacti sourcetype = cacti:mirage

[monitor:///var/www/html/log/cacti.log] disabled = false index = cacti sourcetype = cacti:system

[script:///opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py /var/www/html/log] source = cacti_lookup_mirage.py disabled = false index = cacti sourcetype = cacti:lookup:mirage interval = 0 11 * * *

interval = 86400

Is there something wrong with the script line? The rest of the data seems to be getting to my indexer OK

file permission: -rwxr--r-- 1 splunk splunk 2200 Jan 29 16:19 cacti_lookup_mirage.py -rw-r--r-- 1 splunk splunk 72 Jan 29 16:19 cacti_lookup_mirage.csv

Thanks.

[mr-menno]

The CSV file is not used on the forwarder. It should generate the data using the script, which will send it to your splunk indexers. (run a search: index=cacti sourcetype=cacti:lookup:mirage)

If that generates search results, the script is working correctly.

You need to deploy the TA on your indexers and search heads as well. On the search head, a scheduled search grabs this data from the search above, and generates the lookup on the search head.

On 25 April 2016 at 09:08, pmeyerson notifications@github.com wrote:

My cacti_lookup_mirage.csv file is not being updated, it has the field names but none of my data in.

I left the packaged inputs.conf in /splunkforwarder/etc/apps/Splunk_TA/Cacti/default, copied it to /splunkforwarder/etc/system/local, and modifed it to:

[default] host=hococacti01.hoconet.net

[monitor:///var/www/html/log/mirage_poller_output.log*] disabled = false index = cacti sourcetype = cacti:mirage

[monitor:///var/www/html/log/cacti.log] disabled = false index = cacti sourcetype = cacti:system

[script:///opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py /var/www/html/log] source = cacti_lookup_mirage.py disabled = false index = cacti sourcetype = cacti:lookup:mirage interval = 0 11 * * *

interval = 86400

Is there something wrong with the script line? The rest of the data seems to be getting to my indexer OK

file permission: -rwxr--r-- 1 splunk splunk 2200 Jan 29 16:19 cacti_lookup_mirage.py -rw-r--r-- 1 splunk splunk 72 Jan 29 16:19 cacti_lookup_mirage.csv

Thanks.

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/n00badmin/mirage/issues/1#issuecomment-214384061

[pmeyerson]

If I run the .py lookup script manually I get an error that results is not defined, is this expected?

[root@localhost bin]# pwd /opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin [root@localhost bin]# python cacti_lookup_mirage.py /var/www/html [cacti_lookup_mirage] failed to run mysql client [cacti_lookup_mirage] mysql --user="..." --password="..." --host="127.0.0.1" -P3306 -D cacti Traceback (most recent call last): File "cacti_lookup_mirage.py", line 41, in sys.stdout.write(results); NameError: name 'results' is not defined

[root@localhost bin]# python Python 2.6.6 (r266:84292, Sep 11 2012, 08:34:23) [GCC 4.4.6 20120305 (Red Hat 4.4.6-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information.

Just noticed your last reply, sorry. I get no results from that search. TA is install on both the splunk server (single server deployment) and my cacti server, which also has the universal forwarder.

I do see sourcetype=cacti:mirage events when I search in splunk, just not any of the lookups.

I just re-read the install instructions and missed a step, I've corrected the inputs.conf location , set the cron script to every 15 minutes, and restarted splunk. Will post back results. Thank you.

[pmeyerson]

This doesn't seem to fix the issue but I think I followed the correct install steps now. I do see the same error message showing up in the splunkd.log which I did not before:

04-25-2016 15:30:00.128 -0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py /var/www/html" [cacti_lookup_mirage] failed to run mysql client 04-25-2016 15:30:00.128 -0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py /var/www/html" [cacti_lookup_mirage] mysql --user="..." --password="..." --host="127.0.0.1" -P3306 -D cacti 04-25-2016 15:30:00.128 -0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py /var/www/html" Traceback (most recent call last): 04-25-2016 15:30:00.128 -0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py /var/www/html" File "/opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py", line 41, in 04-25-2016 15:30:00.128 -0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py /var/www/html" sys.stdout.write(results); 04-25-2016 15:30:00.128 -0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/Splunk_TA_Cacti/bin/cacti_lookup_mirage.py /var/www/html" NameError: name 'results' is not defined

I see cacti:system and cacti:mirage events when I search on splunk, but no cacti:lookup:mirage results.

[pmeyerson]

In case anyone else has this issue, looks like you may need python2.7. Script seems to run without error when I use it with python2.7.

[n00badmin]

Closing this issue.

Please report Splunk integration issues on Splunk Answers.

Thanks!