HTTP errors - [MC503] DEBUG urlib3 POST request failed error=Expecting value: line 1 column 2 (char 1) url=xxxx #232
Comments
|
I think the issue is that the app update wiped out our API key. Resetting it in the app configuration seemed to fix it. |
|
Hi, I'm getting the exact same issue. However... Ours is on Splunk Cloud (this app is said to be compatible with SC, I don't think it is). We installed the base version of the app from the store (earlier than v4 i think?), configured it - it didn't work, so we upgraded to 4.2.2. The upgrade broke the app - we had to get Splunk Cloud support to add us the capability required for passwords, and to delete the app and re-install, then upgrade, effectively giving us a clean slate. The app now works on the front-end. But when we perform mispcollect, identical error to what you are seeing appears. mispgetioc just doesn't give anything in return, not even an error. We also have zero logs to go by too, for some reason, in this version, logging is not working. We have re-added the instance, updated the API key, disabled certificate validation, tried everything, none of it works. Can anyone here confirm that the previous version 4.2.0 actually does work and is worth installing on Splunk Cloud? We are running out of options, I am not sure that this app is compatible either, it has come to the attention of Splunk Support too. |
|
We had been using the previous version on Splunk cloud. The new version works like the previous version now that we have updated the API key. I don't recall having the issues you mention when we set it up initially. |
|
Another note: I just ran the upgrade readyness app and it states that this app is not compatible with Python 3. |
|
I think we have a bad instance of MISP perhaps, maybe I will spin up my ubuntu instance at home and zone cloud it in to that for testing, will get back to you all with results. |
|
Hi sorry to read having issues with MISP42 v4.2.2. for logging i have tried to replace log on system files (not working that well) with graceful message on the GUI if you receive feedback from splunk support, thank you to pass it here to improve. |
|
At the risk of stating the obvious, I'd start with a very simple side-by-side troubleshooting with a command like this from the Splunk search: And then the equivalent from your REST client of choice https://www.misp-project.org/openapi/#tag/Events/operation/searchEvents It can be a bit tricky (at least for me) remembering which messages go to _internal and which ones go to cim_modactions. I think the catch block in this particular section of code is actually written to the Splunk UI, not to an index. |
|
OK - appinspect must not be the same as the python upgrade readyness app in SC. |
|
@hkelley for your MISP config in splunk cloud - did you configure it with a pem/crt, do you use a proxy, do you use a client cert? Our MISP instance is behind cloudflare and has TLS with a good cert on the front-end, usual port 443... |
|
@J1mb0S1ic3 , we don't use a client cert, just an auth key.
|
|
Hello while investigating another issue, i got that error when there was a problem with the api key Next version fixes the logging issue to return the error message from the request. |
|
Hi, I think that is correct, and if you use an assigned API token rather than the global one, this error happens, it seems... We also had some issues with cloudflare that we resolved, which lead us to discovering this. |
|
Hi, I was having the same error and interestingly, using AuthKey under "List Users" tab instead of "List Auth Keys" solved the issue. Or that's what we think anyway. |
|
Same error here. Tested from a VM to our external reachable MISP and to an only internally reachable MISP. The same error message for both configs. Auth key is correct, renewed several times. Tested a "GetEvent" via curl from the same SplunkVM (to make sure MISP is reachable and VM is able to talk outwards) is successful. Anyone up with a solution yet? |
|
Looks like I found the reason why it didn't work without understanding why: In MISP the auth key managament changed from "basic" to "advanced" some versions ago (optional). When using "advanced" you cannot see the initial auth key for every user and are only "limited" to created several ones for every user. But these generated ones will not work.... |
|
The initially generated Auth-Key for your user is also not working. Anyone got working ? |
|
Hello
Sorry for delay but I have misp42 working perfectly for 4 instances
Next week I could generate a key again and publish a step by step
Le 31 mai 2024 14:27:06 GMT+02:00, amtoya ***@***.***> a écrit :
The initially generated Auth-Key for your user is also not working. Anyone got working ?
--
Reply to this email directly or view it on GitHub:
#232 (comment)
You are receiving this because you commented.
Message ID: ***@***.***>
--
Sent with K-9 Mail.
|
|
Hi @remg427 any updates on this ? |
|
I have this problem too when I set the limit number to 0 or a value greater than 280000, using lower values works fine. |
|
*** SOLVED *** *** QUESTION *** Addon is installed on a Heavy Forwarder that forwards fetched events to SplunkCloud. Error: Any tip is welcome |
|
Are there any updates on this issue? there are no "auto generated keys" for new users, only the key the user generates manually for themselves. We have no access to keys generated under the simple key management method. None of our API keys are working at all. |
|
Hello, on MISP42 only one MISP API key is needed per account and all Splunk user could use the MIP42 commands and alert actions. |
|
Hello, you need to generate a new app token
--
Sent with K-9 Mail.
|
We recently started receiving errors like the following. I believe this started when we updated to misp42splunk 4.2.2
We don't see any errors in _internal or cim_modactions, and the errors seems very python-ish.
This seems to be an error even before the HTTP request,
misp42splunk/package/bin/misp_common.py
Line 285 in fc97aed
Is anyone else seeing this? Tips?
The text was updated successfully, but these errors were encountered: