All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Add new Cisco IPS Sensor: Failed to create scripted input!

RaaBamayan
New Member
‎04-23-2014 12:12 AM

Hi all,
I try add new Cisco IPS4270-20 probe into Splunk_CiscoIPS but I get this:
Encountered the following error while trying to update: In handler 'localapps': Failed to create scripted input!

SPLUNK version 5.0.8, build 201809
Splunk_CiscoIPS ver 2.0.0
IPS Version 7.1(8)E4

I have tried it unsuccesfully many times. Any advice?

Thanks a lot for help!

Radim

0 Karma
Reply

RaaBamayan
New Member
‎05-06-2014 07:26 AM

Manually adding doesn't work anyway... 😞

But in splunkd.log I can see this:

05-06-2014 16:11:49.650 +0200 ERROR AdminHandler:Exec - passAuth user does not exist: splunk-system-user
05-06-2014 16:11:49.669 +0200 ERROR AdminManager - Failed to create scripted input!

For adding probe I use credentials of the probe (admin privilege, not operator). What user doesn't exist?

Thanks again in advance!

I use free trial splunk! Could it be problem? It's just for testing now, which SIEM console we should choose. For LOG server is Splunk the best solution so I hope for SIEM would be too 😉

R.

0 Karma
Reply

dkuk
Path Finder
‎04-23-2014 08:55 AM

You could also check if the user Splunk is running as has permission to write to the file & directory concerned: $SPLUNK_HOME$/apps//local/inputs.conf. This is because when you use the UI to create inputs, as jconger mentioned, the REST API is being used by the IPS app to update the inputs.conf file for you.

As well as updating the file manually as mentioned previously, you could rename the inputs.conf file then try again to see if there's something strange going wrong with any inputs file already in place. I.e. let the IPS app create the inputs.conf file again from scratch, in a format it's happy with.

The other file this app writes to is app.conf (also in local dir) so the same advice applies here also.

Just a couple of ideas.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-23-2014 07:38 AM

This error means that the setup handler could not create the stanza in inputs.conf via the REST API. You can take a look at splunkd.log for more information on why if failed. As a workaround, you can manually create the stanza in inputs.conf to pull your IPS logs.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...