Troubleshooting the Splunk App
Common errors that you might encounter when no data is showing up in your indexes. Try the solutions described here.
If the data is displaying no results are found in either Data risks or
Database User Activity after inputting the hostname and API key| API secret
enter the Search tab, and search the log file to find out more information.
The log file depends on the version of the Splunk App. The following error types show up while
searching the log file: (index=_internal source="*/var/log/splunk/gi_for_splunk-2.0.0.log")
Note: The
log file depends on the version of the Splunk app: Splunk Version 3.3.1 uses
gi_for_spunk-3.3.1.log
- Auth Error
-
The following error is displayed when an invalid hostname or an expired API key or API secret is entered.
ERROR Error retrieving risks_event data from GI risks API, please check if GI Host/API values are correct or your GI Host Status: ...
ERROR Error retrieving risks event details for risk ...
- Version Error
-
The following error is displayed when you use a host other than Guardium® Insights 3.3.
INFO Invalid type for variable 'received_data'. Required value type is Riskanalyticscontrollerv3GetRiskEventRowResponse and passed type was str at ['received_data']
Note: For successful data retrievalINFO Modular Input Call Initiated
and thenINFO Modular Input call complete
is displayed in the Splunk log search. If you do not seeINFO Modular Input call complete
in the search log, then the Risks data is pulling an excessive amount of data. Decreasing Past Event Days and Data Pulling Interval can help.
- Other Errors
-
If no records are found, then your modinput file (modinput.py) might be producing errors, or if you discover errors that are not listed, contact IBM Support at c3cvp8ch@ca.ibm.com.