Troubleshooting the Splunk App

Common errors that you might encounter when no data is showing up in your indexes. Try the solutions described here.

If the data is displaying no results are found in either Data risks or Database User Activity after inputting the hostname and API key| API secret enter the Search tab, and search the log file to find out more information. The log file depends on the version of the Splunk App. The following error types show up while searching the log file: (index=_internal source="*/var/log/splunk/gi_for_splunk-2.0.0.log")
Note: The log file depends on the version of the Splunk app: Splunk Version 3.3.1 uses gi_for_spunk-3.3.1.log
Auth Error

The following error is displayed when an invalid hostname or an expired API key or API secret is entered.

ERROR Error retrieving risks_event data from GI risks API, please check if GI Host/API values are correct or your GI Host Status: ...

ERROR Error retrieving risks event details for risk ...

Version Error

The following error is displayed when you use a host other than Guardium® Insights 3.3.

INFO Invalid type for variable 'received_data'. Required value type is Riskanalyticscontrollerv3GetRiskEventRowResponse and passed type was str at ['received_data']
Note: For successful data retrieval INFO Modular Input Call Initiated and then INFO Modular Input call complete is displayed in the Splunk log search. If you do not see INFO Modular Input call complete in the search log, then the Risks data is pulling an excessive amount of data. Decreasing Past Event Days and Data Pulling Interval can help.
Other Errors

If no records are found, then your modinput file (modinput.py) might be producing errors, or if you discover errors that are not listed, contact IBM Support at c3cvp8ch@ca.ibm.com.