Solved: Re: operation:"copying source to destination", err...

damode · ‎08-01-2019

I was getting numerous errors given below on one of the SHC members,
ERROR CsvDataProvider - The lookup table 'XXXX' does not exist or is not available.

I noticed, the lookups were missing only on that particular SHC member which gave that error.
So, I did a rolling restart, hoping the members would sync, but didnt work.
Then I did -

splunk resync shcluster-replicated-config

After running this command, I got the below error,

Failed to copy C:\Program Files\Splunk\var\run\splunk\bundle_tmp\snapshot.bundle.bcf4.tmp.untar to C:\Program Files\Splunk\etc. 18 errors occurred. Description for first 8: [{operation:"copying source to destination", error:"Access is denied.", src:"C:\Program Files\Splunk\var\run\splunk\bundle_tmp\snapshot.bundle.bcf4.tmp.untar\apps\Splunk_CiscoISE\lookups\cisco_action_lookup.csv", dest:"C:\Program Files\Splunk\etc\apps\Splunk_CiscoISE\lookups\cisco_action_lookup.csv"}

I have already checked, Splunk permissions and ensured the SYSTEM user has full rights.
This is Windows based Splunk solution.

damode · ‎08-01-2019

ok so I fixed the issue by just deleting the files from the folder - C:\Program Files\Splunk\var\run\splunk\bundle_tmp and then resync again.

View solution in original post

damode · ‎08-01-2019

ok so I fixed the issue by just deleting the files from the folder - C:\Program Files\Splunk\var\run\splunk\bundle_tmp and then resync again.

operation:"copying source to destination", error:"Access is denied."

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team