Splunk With Bigfix

ortal · March 10, 2015, 7:47am

hello,

We installed Splunk in our environment, but when I entered to environment-> Client overview, relay overview there’s no result.

but in user overview there’s results.

what can be the cause of that?

thanks,
Ortal

jmaple · March 10, 2015, 12:14pm

You will have to tailor the provided scripts to your environment. The problem with the app is that the pre-packaged scripts may include properties your BigFix instance does not provide. Since they aren’t provided, all data is being discarded. What I did for my environment was turned on the Python debugging and ran the script from command line to find where the errors were and removed them from the script. Obviously make a backup first.

ortal · March 10, 2015, 1:39pm

ok.
but how can I edit the scripts?
is thee some guide for Splunk? I didn’t find something that explain all of this.

jmaple · March 10, 2015, 1:56pm

You are correct in that there is very little documentation regarding the app and tailoring it to the needs of your environment. The app page has a “Documentation” tab that is seriously lacking in how the app and scripts are configured and troubleshooting methods. The idea was that it was built out of the box for IEM 7.0 environments so obviously a lot of changes have been made since then so let me give you a crash course in what I did.

The BigFix app is installed on the core Splunk server here (Note my installation is on a Windows server so follow the path according to your host OS):

$SPLUNK_HOME\Splunk\etc\apps\bigfix

To turn on the debugging for your scripts, open the following file and remove the comment (#) from lines 14 - 18 depending on where you think the issue is. My guess is, according to what you’re describing, you would just need to remove the comment from line 14.

$SPLUNK_HOME\Splunk\etc\apps\bigfix\lib\bigfix\soap\bfconnector.py

Browse to the following folder in CMD or command line and run the scripts corresponding with the data you are trying to retrieve that are having issues:

$SPLUNK_HOME\Splunk\etc\apps\bigfix\bin

This should give you the output of the script up until the error that is causing all data to be discarded. Open the scripts in some kind of editor and remove the content that isn’t grabbing any information and the scripts should start functioning. Remeber to turn off the debugging in the bfconnector.py file when you’ve got it working.

Good luck.

rfjohns1 · November 12, 2019, 6:23pm

I realize this is an old thread, but thought I would give it a try.

I am attempting to install the connector also. I followed your advice regarding debug. Below is the error that I am seeing. Does this make any sense to you?

we are running Splunk version 7.1.3.

ERROR:root:Encountered Exception in GetRelevanceResult:

WebFault: Server raised fault: ‘Singular expression refers to nonexistent object.’

jmaple · November 12, 2019, 6:34pm

This was always an issue with the way the SOAP queries were written where they don’t have any fault tolerance and the properties you are querying in that MUST all exist or the whole query fails.

That being said, if you’re looking to get data into Splunk, I’ve changed jobs since this thread started and I’ve been working on rebuilding the integration with more tolerance and better scale. See this thread for the latest.