Troubleshoot Splunk Connect for Zoom

After upgrading to Splunk 10, the Splunk Connect for Zoom fails to start up. The logs for your Splunk Connect for Zoom instance return ERROR.

See the following steps to troubleshoot your Splunk Connect for Zoom if it fails to start up, and the logs for your Splunk Connect for Zoom instance return ERROR. As an example, see the following error message, which would appear in your logs:

ERROR ExecProcessor [1048225 ExecProcessor] - message from “/opt/splunk/bin/python3.9 /opt/splunk/etc/apps/splunk_connect_for_zoom/bin/zoom_input.py” Enter PEM pass phrase:

Starting with Splunk 10, the certificates that were previously used as defaults for the Splunk Connect for Zoom became password-protected:

  • /opt/splunk/etc/auth/splunkweb/cert.pem

  • /opt/splunk/etc/auth/splunkweb/privkey.pem

The password for these certificates is not provided. If you are using Splunk 10 or above, you cannot use them as default certificates for the Splunk Connect for Zoom. To fix the error, replace the default certificates with your own trusted SSL certificates in settings.


See the following steps:

  1. In Splunk Web, navigate to Settings, then Data Inputs.

  2. Navigate to your Zoom input.

  3. In the SSL Certificate File row, replace the default certificate. Use the path to SSL certificate (.cer, .pem) format given by a trusted CA.

  4. In the SSL Certificate Key File row, replace the default certificate. Use the path to SSL certificate key (.cer, .pem) format given by a trusted CA.

  5. Restart your zoom input to apply the new settings.

Zoom data does not appear

If Zoom data is not appearing in your Splunk platform deployment, perform the following steps to troubleshoot the connection between your Splunk heavy forwarder, and your Zoom platform.

  1. Open a terminal and run the following command to check port 4443 and see if the modular input is listening: - sudo lsof -i -P -n | grep LISTEN
  2. In the terminal, run the following curlcommand to send test data and check it in the configured index: 
    curl -k https://localhost:4443 -X POST -H "Content-Type: application/json" -d '
{
  "event": "meeting.created",
  "payload": {
	"account_id": "o8KK_AAACq6BBEyA70CA",
	"operator": "someemail@email.com",
	"operator_id": "uLoRgfbbTayCX6r2Q_qQsQ",
	"object": {
  	"uuid": "czLF6FFFoQOKgAB99DlDb9g==",
  	"id": 111111111,
  	"host_id": "uLoRgfbbTayCX6r2Q_qQsQ",
  	"topic": "My Meeting",
  	"type": 2,
  	"start_time": "2019-07-09T17:00:00Z",
  	"duration": 60,
  	"timezone": "America/Los_Angeles"
	}
  }
}'
  3. Log into the Zoom marketplace.
  4. Check your zoom webhook call logs to verify that there are no issues on the Zoom side of your data ingestion process.
  5. Navigate to your Splunk Enterprise heavy forwarder, and disable the webhook input.
  6. Reenable your webhook input.
  7. Restart your Splunk heavy forwarder.

Zoom fails to invalidate the webhook endpoint and returns "Invalid TLS certificate"

When Zoom fails to invalidate the webhook endpoint and returns "Invalid TLS certificate", this is most likely due to a certificate verification error, leading to Zoom being unable to verify the certificate.

To fix this issue, use certificates from trusted CAs and not self-signed certificates.

Zoom fails to invalidate the webhook endpoint and returns "URL validation failure"=

When Zoom fails to invalidate the webhook endpoint and returns "URL validation failure", there can be multiple reasons for this failure:

  • The endpoint is behind a firewall and not publicly accessible. Contact your network administrator for further troubleshooting.
  • The secret token provided is outdated or invalid. To fix, update the Splunk Connect for Zoom with a valid token.
  • The webhook server never kicked off. Navigate to $SPLUNK_HOME/var/logs/, and check zoom_input.log if the server is running without any errors.