All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco IOS - error messages upon restart

robert_miller
Path Finder
‎07-07-2014 09:36 AM

I installed the Cisco IOS TA app onto our indexers and I am seeing the following error messages upon restart. Should I delete that entire stanza from the default directory? Or is there another solution?

            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 5: mode  =  random
            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 8: outputMode  =  splunkstream
            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 9: sourcetype  =  cisco:ios
            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 12: host.token  =  \S{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\S+)\s\d+
            Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 13: host.replacement  =  $SPLUNK_HOME\etc\apps\SA-Eventgen\samples\hostname.sample
0 Karma
Reply

mikaelbje
Motivator
‎07-07-2014 11:15 PM

Hi Robert,

to be able to dig any deeper I need some more information.

  1. Splunk version
  2. What version of the Event generator app? (SA-Eventgen)

The two first lines from your logs are not related to the Cisco IOS TA.

The other lines are related to event generation - that is the generation of events based on samples. You don't need this in a production environment. Event generation is used in demos, labs and so on.

My advice would be one of the folllowing:

  • Check that you have the LATEST version of SA-eventgen
  • Delete SA-eventgen
0 Karma
Reply

mikaelbje
Motivator
‎07-08-2014 10:22 PM

To my knowledge eventgen.conf is not read when SA-eventgen is disabled so you don't need to delete the file. You could also check if there is a newer version of SA-eventgen around in case you need event generation. If it's the latest version I'll check if something has changed since I created the eventgen configuration file.

0 Karma
Reply

robert_miller
Path Finder
‎07-08-2014 07:39 AM

I removed the first 2 lines from the original post because they weren't relevant.

I am running Splunk version 6.0.3 and I have SA-eventgen on one search heard that is running version 1.1.2. I have deleted the folder SA-eventgen. Should I also delete the file eventgen.conf from the TA-cisco_ios app?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...