jerewill-cisco / intersight-splunk-addon Goto Github PK
View Code? Open in Web Editor NEWAn add-on for splunk to collect data from Cisco Intersight.
License: Other
An add-on for splunk to collect data from Cisco Intersight.
License: Other
Currently, only v2 keys are supported.
Frankly, I'm not sure when this problem occurred. When I did the original development around checkpointing, the method call to retrieve the checkpoint would return an exception if the checkpoint didn't exist. The code would catch the exception and set the checkpoint.
At some point, Splunk started returning None for checkpoints that didn't exist. The Add-on wasn't capturing this and was passing the word "None" into Intersight causing the query to quietly retrieve 0 records.
The debug log would have indicated the failure with messages like this...
2022-08-03 19:13:30,971 DEBUG pid=13884 tid=MainThread file=base_modinput.py:log_debug:288 | EXAMPLE | Checkpoint value for audit records is None
2022-08-03 19:13:30,973 DEBUG pid=13884 tid=MainThread file=connectionpool.py:_new_conn:1005 | Starting new HTTPS connection (1): intersight.com:443
2022-08-03 19:13:31,047 DEBUG pid=13884 tid=MainThread file=connectionpool.py:_make_request:465 | https://intersight.com:443 "GET /api/v1/aaa/AuditRecords?$inlinecount=allpages&$orderby=ModTime%20asc&$filter=ModTime%20gt%20None HTTP/1.1" 200 73
2022-08-03 19:13:31,049 INFO pid=13884 tid=MainThread file=base_modinput.py:log_info:295 | EXAMPLE | Found 0 audit records to retrieve
Note that the query was... $filter=ModTime gt None
The add-on will fail if a cond/HclStatuses record exists for a server that does not have an essential or higher licenses.
Log message will be similar to the following... Note the 403
and KeyError: 'Results'
2022-06-29 16:09:42,362 DEBUG pid=30876 tid=MainThread file=connectionpool.py:_make_request:465 | https://intersight.com:443 "GET /api/v1/cond/HclStatuses?$top=10&$skip=20 HTTP/1.1" 403 272
2022-06-29 16:09:42,364 ERROR pid=30876 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/ta_intersight_addon/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/intersight.py", line 92, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/input_module_intersight.py", line 496, in collect_events
for data in RESPONSE.json()['Results']:
KeyError: 'Results'
If the checkpoint update lands on an even second, there is no fraction of a second to fill the %f in the strptime.
Logs will appear similar to this...
2022-06-29 15:46:33,784 ERROR pid=28759 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/ta_intersight_addon/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/intersight.py", line 92, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/input_module_intersight.py", line 260, in collect_events
if datetime.datetime.strptime(state, "%Y-%m-%dT%H:%M:%S.%f%z") < datetime.datetime.strptime(data['ModTime'], "%Y-%m-%dT%H:%M:%S.%f%z"):
File "/opt/splunk/lib/python3.7/_strptime.py", line 577, in _strptime_datetime
tt, fraction, gmtoff_fraction = _strptime(data_string, format)
File "/opt/splunk/lib/python3.7/_strptime.py", line 359, in _strptime
(data_string, format))
ValueError: time data '2022-06-28T09:27:40Z' does not match format '%Y-%m-%dT%H:%M:%S.%f%z'
Certain advisories cannot be resolved to a server because they are associated with a component of the server and that component inventory is not currently being imported as an inventory item. This is most likely to occur with Field Notices, but it is possible that it could occur with some other advisory type.
An example of this is FN72368 where the AffectedObjectType is memory.Unit. Because individual DIMMs are not currently being imported by the Add-On, the Moid of the AffectedObjectType cannot be resolved to it's parent server with the data available in Splunk.
In such cases, the tam.AdvisoryInstance is still available but a further search for the AffectedObjectMoid value will not return any other results.
At least one server must have Essentials level license or higher or the call to cond/HclStatuses will fail.
Output from logs will be similar to this...
022-06-27 17:52:35,303 INFO pid=15412 tid=MainThread file=base_modinput.py:log_info:295 | EXAMPLE | Retrieving compute HCL status...
2022-06-27 17:52:35,441 ERROR pid=15412 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/ta_intersight_addon/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/intersight.py", line 92, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-intersight-addon/bin/input_module_intersight.py", line 381, in collect_events
for data in RESPONSE.json()['Results']:
KeyError: 'Results'
The exception in the log would include this...
for i in range(0, len(data['Drives'])):
TypeError: object of type 'NoneType' has no len()
Hi when splunk server doesn't have outside connection the inputs page on this addon doesn't work i've tested it on
system info RedHat 7.9
attached logs for this issue
cisco_intersight_logs.txt
There is no support or configuration to allow the Add-on to use an HTTPS proxy to reach Intersight. This is required in many environments where servers cannot reach the Internet directly without using a proxy server.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.