I'm seeing the following red bar UI errors (also in the log files) when launching the Splunk for *NIX app version 5.0.1 with splunk version 5.0.2, http://splunk/en-US/app/splunk_app_for_nix/home:
Error in 'SearchParser': Could not find macro 'home_cpu_idle' that takes 2 arguments. Expecting stanza name 'home_cpu_idle(2)'.
Error in 'SearchParser': Could not find macro 'home_disk_used' that takes 2 arguments. Expecting stanza name 'home_disk_used(2)'.
Error in 'SearchParser': Could not find macro 'unix_noop' that takes 0 arguments. Expecting stanza name 'unix_noop'.
In digging around, I'm confused. I found the three macros, but they are in the SA-nix app, not the splunk_app_for_nix app. Looking at each of the macros in Manager, they are all owned by the SA-nix app, and not shared with any other app. I've got permission to view them (I'm logged in as a user in the admin user role), but from everything I know about permissions, this is not going to work.
How is the Splunk for *NIX app supposed to see the macros in the SA-nix app when they aren't shared?
The weirdest part about this is that when I installed splunk_app_for_nix and the SA-nix app on my Search Head, this worked for a while, as I remember being very frustrated trying to get data out of the UI, but all of the back end bits worked.
Any suggestions welcomed.
Did you read through the docs on how to configure the app? http://docs.splunk.com/Documentation/UnixApp/latest/User/First-timeconfiguration
Once you do this, these errors should go away. If you are in a distributed environment, which I sense that you are, it may take a minute or two for those messages to go away
To clarify, the default sharing on SA-nix is global - see metadata/default.meta:
# Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = system
Perhaps someone has overriden the default?
Did you read through the docs on how to configure the app? http://docs.splunk.com/Documentation/UnixApp/latest/User/First-timeconfiguration
Once you do this, these errors should go away. If you are in a distributed environment, which I sense that you are, it may take a minute or two for those messages to go away
To clarify, the default sharing on SA-nix is global - see metadata/default.meta:
# Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = system
Perhaps someone has overriden the default?
Already done, and fixed. Turns out that the install itself appears to be correct in all instances we could audit, but permissions were just not getting picked up.
To fix: stopped both SHs, removed all 3 apps (SA-nix, Splunk_TA, Splunk for nix app), and untarred a fresh copy. Restarted Splunk SH, went through SA-nix first time setup, then Splunk for NIX first time setup, and permissions were correct, and I could see the past 3 months of data in the os index.
Thanks to BrianO for verifying the original setup looked right, and the suggestion for the "nuke from orbit" and re-install via tar.
There is something going on here that is unusual, but I don't have enough information to understand what it is. Can you please open a support case?
I did go through the first time config. This is a distributed, clustered, SHP-enabled environment.
[splunk]:stmocprvsh1:/splunk/etc/apps/SA-nix/metadata$ more default.meta
# Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = system
[lookups]
export = system
The entries in default.meta look correct. Nothing has been overwritten as far as I can tell.
Looking in the manager -> All configurations, I can't find any of the 3 macros that show up in the error messages. I see them (manually) in the SA-nix/default/macros.conf, but Splunk doesn't can't.