I deployed the SoS-TA package by placing it in on our custer master in /opt/splunk/etc/master-apps directory and deploying from the Web UI.
I noticed the following error after enabling the inputs:
01-08-2015 11:19:08.762 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh" /bin/sh: 1: /opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh: not found
The fix
Simply clone the 3 scripted inputs from SoS-TA and recreate the correct path eg:
/opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh
Becomes:
/opt/splunk/etc/slave-apps/TA-sos/bin/ps_sos.sh
Have I deployed this incorrectly or is it a bug in the the package deployment mechanism ?
This is pretty strange and very unexpected as the S.o.S technology add-on has been specifically validated to work in an indexer cluster environment, deployed from the cluster master just as you described.
Do you maybe have a pre-existing copy of "TA-sos" under $SPLUNK_HOME/etc/apps
on the cluster peers? If so, you should remove that version and allow the one under $SPLUNK_HOME/etc/slave-apps
to be the only copy of this TA present on the cluster peers.
Don't forget to enable the scripted inputs in $SPLUNK_HOME/etc/master-apps/local/inputs.conf
on the Cluster Master before pushing out the TA!
This is pretty strange and very unexpected as the S.o.S technology add-on has been specifically validated to work in an indexer cluster environment, deployed from the cluster master just as you described.
Do you maybe have a pre-existing copy of "TA-sos" under $SPLUNK_HOME/etc/apps
on the cluster peers? If so, you should remove that version and allow the one under $SPLUNK_HOME/etc/slave-apps
to be the only copy of this TA present on the cluster peers.
Don't forget to enable the scripted inputs in $SPLUNK_HOME/etc/master-apps/local/inputs.conf
on the Cluster Master before pushing out the TA!
I did originally copy to the wrong location, looks like there were some leftovers that splunk was picking up 🙂