All Apps and Add-ons

Cisco IOS - error messages upon restart

robert_miller
Path Finder

I installed the Cisco IOS TA app onto our indexers and I am seeing the following error messages upon restart. Should I delete that entire stanza from the default directory? Or is there another solution?

            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 5: mode  =  random
            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 8: outputMode  =  splunkstream
            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 9: sourcetype  =  cisco:ios
            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 12: host.token  =  \S{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\S+)\s\d+
            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 13: host.replacement  =  $SPLUNK_HOME\etc\apps\SA-Eventgen\samples\hostname.sample
0 Karma

mikaelbje
Motivator

Hi Robert,

to be able to dig any deeper I need some more information.

  1. Splunk version
  2. What version of the Event generator app? (SA-Eventgen)

The two first lines from your logs are not related to the Cisco IOS TA.

The other lines are related to event generation - that is the generation of events based on samples. You don't need this in a production environment. Event generation is used in demos, labs and so on.

My advice would be one of the folllowing:

  • Check that you have the LATEST version of SA-eventgen
  • Delete SA-eventgen
0 Karma

mikaelbje
Motivator

To my knowledge eventgen.conf is not read when SA-eventgen is disabled so you don't need to delete the file. You could also check if there is a newer version of SA-eventgen around in case you need event generation. If it's the latest version I'll check if something has changed since I created the eventgen configuration file.

0 Karma

robert_miller
Path Finder

I removed the first 2 lines from the original post because they weren't relevant.

I am running Splunk version 6.0.3 and I have SA-eventgen on one search heard that is running version 1.1.2. I have deleted the folder SA-eventgen. Should I also delete the file eventgen.conf from the TA-cisco_ios app?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...