All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk_TA_stream and search head clusters (shc)

sloshburch
Splunk Employee
Splunk Employee
‎05-24-2017 11:42 AM

While trying to deploy both Splunk_TA_stream and splunk_app_stream to a SHC, you see the following error and the deploy push fails:

Error while deploying apps to target=https://burch:splunkd-port with members=3: Error while updating app=Splunk_TA_stream on target=https://burch-ip:splunkd-port: Non-200/201 status_code=500; {"messages":[{"type":"ERROR","text":"\n In handler 'localapps': Error installing application: Failed to copy: /opt/splunk/var/run/splunk/bundle_tmp/010fb5c688614565/Splunk_TA_stream to /opt/splunk/etc/apps/Splunk_TA_stream. Error occurred while copying source to destination error=\"Text file busy\" src=\"/opt/splunk/var/run/splunk/bundle_tmp/010fb5c688614565/Splunk_TA_stream/linux_x86_64/bin/streamfwd\" dest=\"/opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd\""}]}
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎05-24-2017 11:46 AM

This is because When splunk_app_stream is pushed by the deployer to the shc members it's process for installing Splunk_TA_stream kicks in. As a result, the deployer fails while trying to push 'Splunk_TA_stream' since it's file handles are open by splunkd on the SHC still deploying Splunk_TA_stream from splunk_app_stream.

I was able to validate and workaround this by disabling all of the inputs listed in splunk_app_stream on the Deployer (which in turn leaves them disabled on the SHC members.

[script://./bin/scripted_inputs/deploy_splunk_ta_stream.py]
    disabled = true

[script://.\\bin\\scripted_inputs\\deploy_splunk_ta_stream.py]
    disabled = true

[script://./bin/scripted_inputs/setup_independent_stream.py]
    disabled = true

[script://.\\bin\\scripted_inputs\\setup_independent_stream.py]
    disabled = true

View solution in original post

Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎05-24-2017 11:46 AM

This is because When splunk_app_stream is pushed by the deployer to the shc members it's process for installing Splunk_TA_stream kicks in. As a result, the deployer fails while trying to push 'Splunk_TA_stream' since it's file handles are open by splunkd on the SHC still deploying Splunk_TA_stream from splunk_app_stream.

I was able to validate and workaround this by disabling all of the inputs listed in splunk_app_stream on the Deployer (which in turn leaves them disabled on the SHC members.

[script://./bin/scripted_inputs/deploy_splunk_ta_stream.py]
    disabled = true

[script://.\\bin\\scripted_inputs\\deploy_splunk_ta_stream.py]
    disabled = true

[script://./bin/scripted_inputs/setup_independent_stream.py]
    disabled = true

[script://.\\bin\\scripted_inputs\\setup_independent_stream.py]
    disabled = true
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...