this is a Splunk enterprise for Windows. Does this also apply to a Windows Server OS?
I believe it should. If you follow the same path but from a Windows perspective you should find the same file.
$SPLUNKHOME\etc\apps\TA-bigfix\bin\ta_bigfix\httplib2
Doesnât seem to resole the issue:
2019-11-15 22:34:30,625 +0000 log_level=INFO, pid=4268, tid=Thread-4, file=xxxxx, func_name=request, code_line_no=169 | [stanza_name=âusersâ] Invoking request to [httpsxxxxxxxxxx/:52311/api/query?output=json&relevance=%28%22name%3D%22+%26+name+of+it%2C+%22master_operator%3D%22+%26+master+flag+of+it+as+string%2C+%22action_count%3D%22+%26+number+of+issued+actions+of+it+as+string%2C+%22creation_time%3D%22+%26+creation+time+of+it+as+string%2C+%22last_login_time%3D%22+%26+%28if+%28exists+last+login+time+of+it%29+then+last+login+time+of+it+as+string+else+%22%22%29%29+of+bes+users] finished
2019-11-15 22:34:30,625 +0000 log_level=ERROR, pid=4268, tid=Thread-4, file=engine, func_name=_send_request, code_line_no=325 | [stanza_name=âusersâ] T**he response status=400 for request which url=httpsxxxxxxxxxx/:52311/api/query?**output=json&relevance=%28%22name%3D%22+%26+name+of+it%2C+%22master_operator%3D%22+%26+master+flag+of+it+as+string%2C+%22action_count%3D%22+%26+number+of+issued+actions+of+it+as+string%2C+%22creation_time%3D%22+%26+creation+time+of+it+as+string%2C+%22last_login_time%3D%22+%26+%28if+%28exists+last+login+time+of+it%29+then+last+login+time+of+it+as+string+else+%22%22%29%29+of+bes+users and method=GET.
2019-11-15 22:34:30,625 +0000 log_level=INFO, pid=4268, tid=Thread-4, file=engine, func_name=_run, code_line_no=270 | [stanza_name=âusersâ] This job need to be terminated.
IT seems something is going on on the BigFix side
error: [Errno 10061] No connection could be made because the target machine actively refused it
2019-11-16 00:12:51,753 +0000 log_level=ERROR, pid=5924, tid=Thread-4, file=engine_py, func_name=_send_request, code_line_no=302 | [stanza_name=âusersâ] HTTPError reason=HTTP Error [Errno 10061] No connection could be made because the target machine actively refused it when sending request to url=https://xxxxxxxxxx:52311/api/query?output=json&relevance=%28%22name%3D%22+%26+name+of+it%2C+%22master_operator%3D%22+%26+master+flag+of+it+as+string%2C+%22action_count%3D%22+%26+number+of+issued+actions+of+it+as+string%2C+%22creation_time%3D%22+%26+creation+time+of+it+as+string%2C+%22last_login_time%3D%22+%26+%28if+%28exists+last+login+time+of+it%29+then+last+login+time+of+it+as+string+else+%22%22%29%29+of+bes+users method=GET
What version of BigFix are you running?
9.5.7.90.
Iâm also asking the admin to verify the cert install and determine if Iâm using the correct port.
The BigServer is not listening on 52311. The console is set to use 63422. The ports are using to communicate with clients are dpt=63422 spt=62998.
Also we are not using a BigFix relay. Is that needed?
CP [::]:135 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:443 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:445 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:1433 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:3389 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:8080 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:8442 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:47001 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:49664 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:49665 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:51168 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:51728 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:52593 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:52609 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:54376 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:63052 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:63054 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:63422 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:63426 xxxxxxxxxxxxxxx:0 LISTENING
No. The TA uses the REST API which is accessible via the server port which, in your case, sounds like it should be 63422. If you configure the TA to use that port, I imagine that should work.
Iâm now getting http status code 401 (authentication failure). So that is progress! 
Iâll have the administrator verify permissions.
Glad youâre making progress.
The account needs to have specific capabilities enabled in the console. Specifically âCan use RESTâ and âCan see other userâs actionsâ. For security, I would recommend against using a console admin if it can be helped.
Just curious, I heard that Splunk DB Connect is an alternative to integrate for Splunk/BigFix integration. Are there advantages is using the REST based Connector?
After discussing the various options with people in-the-know, DBConnect is an option but if the schema changes during an upgrade, the DBConnect queries may no longer function and would need to be re-written. The REST API is less likely to have those types of changes made so once you develop the REST query, it shouldnât need updating for a while unless something drastic happens.
All seems to be working fine. Thank you for the help.
Just wondering, do you have interesting dashboards that could go along with the T/A?
1 Like
At the moment, the original app that was on Splunkbase is being revised to use the data this TA provides. But because the TA is getting re-done to scale better in larger environments, thatâs on hold until the data collection is ironed out.
However, any suggestions on dashboards youâd like to see would be helpful as well.
thanks, These dashboards look interesting. I will try to provide some feedback once we discuss in them team
Does the TA use a checkpoint? IF so, how could I validate that it is working?
Thanks!
At the moment the TA doesnât use any checkpoints. Most of the time itâs because there isnât a timestamp in all events to key in on during every query. So, for now, itâs a query of everything on an interval.
I spotted this error in the App under the âOverViewâ tab, top frame.
I did manually delete the old version prior to installing the new App.
ServerSideInclude Module Error!
Splunk has failed to locate the template for uri â/APP/splunk_app_for_bigfix-master/appserver/static/BigFixSearch.htmlâ.
The issue here is the same as the TA. You need to remove the â-masterâ from the app parent directory.
that seemed to fix that issue. However produced a new error.
Other then that top pane it seems to be working.
ServerSideInclude Module Error!
Splunk has failed to locate the template for uri â/APP/splunk_app_for_bigfix/appserver/static/BigFixSearch.htmlâ.