[Resolved] Error: Splunk search failed: EOF through Terraform

premadhas · June 26, 2023, 3:10pm

Hi there,

I’m trying to run a simple test search using this provider and it’s throwing below error, can you please help identify where and what I’m missing?
The same query if run directly on the Splunk i’m getting result.

Error

> terraform plan
data.itsi_splunk_search.itsi_test_search: Reading...

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Splunk search failed: EOF
│ 
│   with data.itsi_splunk_search.itsi_test_search,
│   on data.tf line 1, in data "itsi_splunk_search" "itsi_test_search":
│    1: data "itsi_splunk_search" "itsi_test_search" {

not_working.tf

data "itsi_splunk_search" "itsi_test_search" {
  
  search {
    query = <<-EOT
      | mstats count(*) WHERE index="*metrics*" span=100ms
    EOT

    earliest_time = "-5m"
  }
}

output "search_data" {
    value = data.itsi_splunk_search.itsi_test_search.results
}

working.tf

data "itsi_splunk_search" "test_search" {

  search {
    query = <<-EOT
       | makeresults count=5 | eval test = "A"
    EOT

    earliest_time = "-10m"
  }

  search {
    query = <<-EOT
      | makeresults count=5 | eval test = "B"
    EOT

    earliest_time = "-10m"
  }

}

apparentlymart · June 26, 2023, 3:44pm

Hi @premadhas!

Unfortunately I’m not sure that there are many folks in this forum who are familiar with this particular provider. I’m happy to leave this topic open just in case someone is able to answer, but I would suggest also trying to ask in a forum that’s focused on Splunk or ITSI, since folks there might be able to make a better guess as to what’s going wrong.

Although I’m not familiar with this provider in particular, the error message EOF is the string representation of the Go programming language’s “end of file” error, which might suggest that the provider (or the Splunk client library it depends on) is trying to parse an empty response from the server and is therefore encountering an unexpected end of file. For example, this typically happens in Go programs which try to parse an empty buffer as if it were JSON.

This error message seems to originate from here in the provider source code:

github.com

TiVo/terraform-provider-splunk-itsi/blob/143ecc467bcce8efab228078dbe5198e7498ee7a/provider/datasource_splunk_search.go#L308-L311


      
          	rows, _, err := conn.Search(ctx, sr.client.RetryPolicy, s.Query, params)
          	if err != nil {
          		return nil, append(diags, diag.Errorf("Splunk search failed: %s", err)...)
          	}

…which suggests that this conn object is the one returning EOF, and that’s a SplunkConnection object. I can only see one part of that Search method’s implementation that directly returns an error from an underlying call without wrapping it with more context:

github.com

TiVo/terraform-provider-splunk-itsi/blob/55f3a2f038e52c47d5ba2913c7f43ec7360149a0/provider/splunk/search.go#L102-L104


      
          		if r, err := parseLine(v); err != nil {
          			return nil, nil, err
          		} else {

…and this parseLine function is indeed attempting to parse the given line as JSON:

github.com

TiVo/terraform-provider-splunk-itsi/blob/55f3a2f038e52c47d5ba2913c7f43ec7360149a0/provider/splunk/search.go#L36-L41


      
          func parseLine(line string) (r Row, err error) {
          	fbuf := bytes.NewBufferString(line)
          	dec := json.NewDecoder(fbuf)
          	r = NewRow()
          	return r, dec.Decode(&r)
          }

Therefore my best guess is that the server is returning something that isn’t JSON in its response and the client library is handling that situation poorly, returning only a vague error message. However, I can’t say more than that because I’m not familiar with this particular API and server.

premadhas · June 26, 2023, 4:22pm

@apparentlymart Thanks a lot for the prompt input, it was due to provider version. Using the latest beta version of provider is not throwing this error.