All Apps and Add-ons

Resilient-add-on and Search Head Cluster

simony
Path Finder

Hi all

I wanted to ask if Splunk's Resilient add-on is also compatible with a search head cluster? I currently have the problem that the exact same app and configuration works on a standalone search head, but not on a SHC. I receive the following error messages:

01-22-2018 14: 03: 22.531 +0100 WARN sendmodalert - action = resilient - Alert action script returned error code = 1

The connection of the app to the Resilient server works perfectly. that's why it shows me the fields in the alert_action. Could someone help me here? Where can I find more log information, that I can find out what the problem is?

Best Regards,
Yanick

0 Karma

ibmresilient
Path Finder

Hello Yanick,

If you can access the Splunk server, the log files can be found in $SPLUNK_HOME/var/splunk/log. There are 3 log files that might contain useful information:
splunkd.log
resilient.log
python.log

There are several possible causes, without detailed info from the log files:
1. network issue. Please check connectivity from the SHC to the Resilient Server. Also make sure that port 443 is not blocked
2. field mapping issue. If a custom incident field has been added to Resilient Server, the config used by the resilient-add-on needs to be updated as well. So a user needs to re-run the app config on the deployer to get the new config, and then push the new config to all the SHC.

Thanks.

0 Karma

skywalker
Observer

Hello @ibmresilient ,

It's been 2 years but I'm facing this issue and I raised a case to IBM but unfortunately they confirmed that this app is not supported on SHC and they'll upgrade the app for SHC till end of 2021 Q1 . 

I'd like to ask you guys how you manage this app on SHC ?  you may have different workaround for that. 

 

Thanks in advance

 

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...