topic Re: knowledge bundle replication error in Knowledge Management

knowledge bundle replication error

yosoypako — Tue, 23 Apr 2024 12:26:24 GMT

Hello.

We are deploying a new search head in our splunk environment. We are using windows 2019 servers as platform. The nearch head is not working. We can see these errors on the indexer:

WARN BundleDataProcessor [12404 TcpChannelThread] - Failed to create file E:\Splunk\var\run\searchpeers\[search_head_hostname]-1713866571.e035b54cfcafb33b.tmp\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\ta_microsoft_graph_security_add_on_for_splunk\aob_py2\cloudconnectlib\splunktacollectorlib\data_collection\ta_checkpoint_mng.py while untarring E:\Splunk\var\run\searchpeers\[search_head_hostname]-1713866571.bundle: The system cannot find the path specified.

The file name (including the path) exceeds the limit of 260 characters on windows OS.

How can we use this addon?

Re: knowledge bundle replication error

deepakc — Tue, 23 Apr 2024 13:49:49 GMT

Have you carefully installed and deployed this add on within your Splunk deployment architecture

Follow the instructions https://splunkbase.splunk.com/app/4564 - click on the link and look for where to install this add on section first.

You would typically be install this onto a heavy forwarder if you are using one and set the inputs up, this would forward the data to the indexers and data will be parsed.

The add is required on the Search Heads for parsing (Knowledge Objects) so needs to be installed there, into the correct path.

So Install everythings as required, configure it and then look at the logs.

If you have already configured as required then this log message indicates something else.

It states "The system cannot find the path specified"

Have you installed it correctly?

Re: knowledge bundle replication error

richgalloway — Tue, 23 Apr 2024 14:21:04 GMT

Your first error is deploying Splunk on Windows. See https://community.splunk.com/t5/Getting-Data-In/What-are-the-pain-points-with-deploying-your-Splunk-architecture/m-p/650011

Please elaborate on "the search head is not working". What about it is not working? An error on an indexer does not necessarily mean there's a problem with the SH.

One workaround is to rename the TA so it resides in a directory with a shorter name (by at least 8 characters). Of course, you will have to maintain that forever.

Re: knowledge bundle replication error

yosoypako — Tue, 23 Apr 2024 14:34:44 GMT

Hello, thanks for your help.

Until now were using a single deployment of splunk (indexer, search head and data inputs) on the same box.

Now we have just started to split the roles by deploying a new search head.

By the search is not working I meant that the service is up and running, we can log on it but the searches are not running. We got this message:

Unable to distribute to peer named [indexer_splunk_instancename] at uri https://[indexer_ip]:8089 because replication was unsuccessful. ReplicationStatus: Failed - Failure info: failed_because_BUNDLE_DATA_TRANSMIT_FAILURE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available.

On the indexer, on splunkd.log we got these messages:

File length is greater than 260, File creation may fail.

After reading the doc, I saw the app is supported on the indexers but it is not required.

If we move this application to one heavy forwarder. It will not be included on the replication bundle between SH and Indexer?

Re: knowledge bundle replication error

richgalloway — Tue, 23 Apr 2024 15:15:20 GMT

If the app is installed on the SH, it will be replicated to the indexer UNLESS it is excluded from the bundle. To exclude files from the bundle, add entries to the [replicationDenyList] stanza in distsearch.conf and restart the SH.

[replicationDenyList] MSbin = E:\Splunk\etc\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*

Re: knowledge bundle replication error

yosoypako — Wed, 24 Apr 2024 08:33:38 GMT

Hello.

I have tried different combination of replicationDenyList stanza definition, in all cases it did not work.

with quotes, "apps\TA-microsoft-graph-security-add-on-for-splunk\bin\...", without quotes apps\TA-microsoft-graph-security-add-on-for-splunk\bin\... , with * "apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*", with full path D:\Splunk Search Head\etc\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*, and combinations of them. But nothing, I always got the error:

Invalid key in stanza [replicationDenyList] in D:\Splunk Search Head\etc\system\local\distsearch.conf, line 29: MSbin (value: apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*).

Do you have a working example of this stanza?

Thanks for your help.

Re: knowledge bundle replication error

yosoypako — Wed, 24 Apr 2024 08:48:38 GMT

Hello, by same error i mean that after changing the stanza config in distsearch.conf and restarting the service on the sh., there was the Invalid key message on btool but with different value

Re: knowledge bundle replication error

yosoypako — Wed, 24 Apr 2024 11:35:46 GMT

Hello,

Now it is working.

This made the trick:

[replicationDenylist]
ms_graph = ...TA-microsoft-graph-security-add-on-for-splunk[/\\]bin[/\\]...

Thanks