I installed the Cisco IOS TA app onto our indexers and I am seeing the following error messages upon restart. Should I delete that entire stanza from the default directory? Or is there another solution?
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 5: mode = random
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 8: outputMode = splunkstream
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 9: sourcetype = cisco:ios
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 12: host.token = \S{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\S+)\s\d+
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 13: host.replacement = $SPLUNK_HOME\etc\apps\SA-Eventgen\samples\hostname.sample
Hi Robert,
to be able to dig any deeper I need some more information.
The two first lines from your logs are not related to the Cisco IOS TA.
The other lines are related to event generation - that is the generation of events based on samples. You don't need this in a production environment. Event generation is used in demos, labs and so on.
My advice would be one of the folllowing:
To my knowledge eventgen.conf is not read when SA-eventgen is disabled so you don't need to delete the file. You could also check if there is a newer version of SA-eventgen around in case you need event generation. If it's the latest version I'll check if something has changed since I created the eventgen configuration file.
I removed the first 2 lines from the original post because they weren't relevant.
I am running Splunk version 6.0.3 and I have SA-eventgen on one search heard that is running version 1.1.2. I have deleted the folder SA-eventgen. Should I also delete the file eventgen.conf from the TA-cisco_ios app?