Hi,
My setup is 1 Search Head and 3 Indexers and I've just upgraded my Cisco Security Suite insta.lation from 3.0.0 to 3.1.1, on the SH only. Now I'm stuck at the App Configuration screen. Whenever I press continue to App Configuration page, it throws:
Splunk could not perform action for resource apps/local/Splunk_CiscoSecuritySuite Splunkd daemon is not responding: ('Error connecting to /servicesNS/admin/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: The read operation timed out',)
There was an error retrieving the configuration, can not process this page.
Additionally, I get the following errors when I do any other search on other apps:
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'source::udp:514|host::1.1.1.1|cisco:asa'.
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'source::udp:514|host::2.2.2.2|cisco:asa'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'source::udp:514|host::1.1.1.1|cisco:asa'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'source::udp:514|host::2.2.2.2|cisco:asa'.
[indexer3] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
[indexer3] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
[indexer3] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.
Can someone help?
I managed to configure mine, however, I don't have a distributed search environment. Extending the session timeout in web.conf finally got me to the screen to enable the apps I needed, and all looks fine now.
Just checked that I also lack some dashboards, and receive the messages:
The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'
Just an update, I followed some links suggesting to disable "Cisco ASA / PIX / FWSM Dashboards" i.e. SA-cisco-asa , as well as I updated the Splunk Add-on for Cisco ASA to version 3.2.3 now it is OK, no more errors and all the dashboards are populated properly.
I made the lookup and table globally available. The error messages went away
How do you do that?
Go to Settings / Lookups
Filter App Context to "Cisco Security Suite"
Check "Show only objects created in this app context"
The list of related lookups will be displayed. Now, click on the "Permissions" link next to each related entry and check "All Apps" at the top. Save and repeat the process.
Did not solve the problem on my end unfortunately.
I had similar problems and after troubleshooting found that that SA-cisco-asa,SA-cisco-wsa,SA-cisco-esa,SA-cisco-sourcefire no longer requires in new version as add-ons. They are all incorporated into CiscoSecuritysuite app. After removing them from apps directory error messages no longer appears.
I contacted app-help and they provided the following which actually did work to solve the Splunkd daemon is not responding issue.
This actually worked for me, but it's a messy upgrade and had other problems after getting it up.
Hi,
I've also just upgraded to C.S.S. 3.1.1. from C.S.S. 3.0.0. in my test platform, Splunk 6.2.3.
Had exactly the same issue as this so it looks like it could be a wider issue. I've just put 3.0.0. back on and it's working again. Might be worth rolling back until this issue is sorted.
How do you backout from 3.1.1 to 3.0.3. When I tried with the cisco-security-suite_303.tgz file it throws and error.
There was an error processing the upload
I am having the same issue. I am also on 6.2.3
Me too, any resolution?
I am on 6.2.3, and backed out to 3.0.3 {3.0.0 is no longer available).