- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Errors using Splunk for *NIX
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeing the following red bar UI errors (also in the log files) when launching the Splunk for *NIX app version 5.0.1 with splunk version 5.0.2, http://splunk/en-US/app/splunk_app_for_nix/home:
Error in 'SearchParser': Could not find macro 'home_cpu_idle' that takes 2 arguments. Expecting stanza name 'home_cpu_idle(2)'.
Error in 'SearchParser': Could not find macro 'home_disk_used' that takes 2 arguments. Expecting stanza name 'home_disk_used(2)'.
Error in 'SearchParser': Could not find macro 'unix_noop' that takes 0 arguments. Expecting stanza name 'unix_noop'.
In digging around, I'm confused. I found the three macros, but they are in the SA-nix app, not the splunk_app_for_nix app. Looking at each of the macros in Manager, they are all owned by the SA-nix app, and not shared with any other app. I've got permission to view them (I'm logged in as a user in the admin user role), but from everything I know about permissions, this is not going to work.
How is the Splunk for *NIX app supposed to see the macros in the SA-nix app when they aren't shared?
The weirdest part about this is that when I installed splunk_app_for_nix and the SA-nix app on my Search Head, this worked for a while, as I remember being very frustrated trying to get data out of the UI, but all of the back end bits worked.
Any suggestions welcomed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you read through the docs on how to configure the app? http://docs.splunk.com/Documentation/UnixApp/latest/User/First-timeconfiguration
Once you do this, these errors should go away. If you are in a distributed environment, which I sense that you are, it may take a minute or two for those messages to go away
To clarify, the default sharing on SA-nix is global - see metadata/default.meta:
# Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = system
Perhaps someone has overriden the default?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you read through the docs on how to configure the app? http://docs.splunk.com/Documentation/UnixApp/latest/User/First-timeconfiguration
Once you do this, these errors should go away. If you are in a distributed environment, which I sense that you are, it may take a minute or two for those messages to go away
To clarify, the default sharing on SA-nix is global - see metadata/default.meta:
# Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = system
Perhaps someone has overriden the default?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already done, and fixed. Turns out that the install itself appears to be correct in all instances we could audit, but permissions were just not getting picked up.
To fix: stopped both SHs, removed all 3 apps (SA-nix, Splunk_TA, Splunk for nix app), and untarred a fresh copy. Restarted Splunk SH, went through SA-nix first time setup, then Splunk for NIX first time setup, and permissions were correct, and I could see the past 3 months of data in the os index.
Thanks to BrianO for verifying the original setup looked right, and the suggestion for the "nuke from orbit" and re-install via tar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is something going on here that is unusual, but I don't have enough information to understand what it is. Can you please open a support case?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did go through the first time config. This is a distributed, clustered, SHP-enabled environment.
[splunk]:stmocprvsh1:/splunk/etc/apps/SA-nix/metadata$ more default.meta
# Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = system
[lookups]
export = system
The entries in default.meta look correct. Nothing has been overwritten as far as I can tell.
Looking in the manager -> All configurations, I can't find any of the 3 macros that show up in the error messages. I see them (manually) in the SA-nix/default/macros.conf, but Splunk doesn't can't.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
