Troubleshooting the Splunk App
Common errors that you might encounter when no data is showing up in your indexes. Try the solutions described here.
If the data is displaying no results are found in either Data risks or Database User Activity after inputting the hostname and API key| API secret enter the Search tab, and search the log file to find out more information. The log file depends on the version of the Splunk App. The following error types show up while searching the log file: (index=_internal source="*/var/log/splunk/gi_for_splunk-2.0.0.log")
Note: The log file depends on the version of the Splunk app: Splunk Version 2.0.0 uses gi_for_spunk-2.0.0.log
- Auth Error
The following error is displayed when an invalid hostname or an expired API key or API secret is entered.
INFO Error retrieving risks_event data from GI risks API, please check if GI Host/API values are correct or your GI Host Status
- Version Error
The following error is displayed when you use a host other than Guardium Insights 3.2.
INFO Invalid type for variable 'received_data'. Required value type is Riskanalyticscontrollerv3GetRiskEventRowResponse and passed type was str at ['received_data']Note: For successful data retrieval
INFO Modular Input Call Initiatedand then
INFO Modular Input call completeis displayed in the Splunk log search. If you do not see
INFO Modular Input call completein the search log, then either the Reports data, or the Risks data is pulling an excessive amount of data. Decrease Past Event Days and Data Pulling Interval can help.
- Other Errors
If no records are found, then your modinput file (modinput.py) might be producing errors, or if you discover errors that are not listed, contact IBM Support at email@example.com.