All Apps and Add-ons

Add new Cisco IPS Sensor: Failed to create scripted input!

RaaBamayan
New Member

Hi all,
I try add new Cisco IPS4270-20 probe into Splunk_CiscoIPS but I get this:
Encountered the following error while trying to update: In handler 'localapps': Failed to create scripted input!

SPLUNK version 5.0.8, build 201809
Splunk_CiscoIPS ver 2.0.0
IPS Version 7.1(8)E4

I have tried it unsuccesfully many times. Any advice?

Thanks a lot for help!

Radim

0 Karma

RaaBamayan
New Member

Manually adding doesn't work anyway... 😞

But in splunkd.log I can see this:

05-06-2014 16:11:49.650 +0200 ERROR AdminHandler:Exec - passAuth user does not exist: splunk-system-user
05-06-2014 16:11:49.669 +0200 ERROR AdminManager - Failed to create scripted input!

For adding probe I use credentials of the probe (admin privilege, not operator). What user doesn't exist?

Thanks again in advance!

I use free trial splunk! Could it be problem? It's just for testing now, which SIEM console we should choose. For LOG server is Splunk the best solution so I hope for SIEM would be too 😉

R.

0 Karma

dkuk
Path Finder

You could also check if the user Splunk is running as has permission to write to the file & directory concerned: $SPLUNK_HOME$/apps//local/inputs.conf. This is because when you use the UI to create inputs, as jconger mentioned, the REST API is being used by the IPS app to update the inputs.conf file for you.

As well as updating the file manually as mentioned previously, you could rename the inputs.conf file then try again to see if there's something strange going wrong with any inputs file already in place. I.e. let the IPS app create the inputs.conf file again from scratch, in a format it's happy with.

The other file this app writes to is app.conf (also in local dir) so the same advice applies here also.

Just a couple of ideas.

0 Karma

jconger
Splunk Employee
Splunk Employee

This error means that the setup handler could not create the stanza in inputs.conf via the REST API. You can take a look at splunkd.log for more information on why if failed. As a workaround, you can manually create the stanza in inputs.conf to pull your IPS logs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...