Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Cisco IOS - error messages upon restart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco IOS - error messages upon restart
I installed the Cisco IOS TA app onto our indexers and I am seeing the following error messages upon restart. Should I delete that entire stanza from the default directory? Or is there another solution?
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 5: mode = random
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 8: outputMode = splunkstream
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 9: sourcetype = cisco:ios
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 12: host.token = \S{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(\S+)\s\d+
Possible typo in stanza [samplelog.cisco.ios] in /opt/splunk/etc/apps/TA-cisco_ios/default/eventgen.conf, line 13: host.replacement = $SPLUNK_HOME\etc\apps\SA-Eventgen\samples\hostname.sample
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Robert,
to be able to dig any deeper I need some more information.
- Splunk version
- What version of the Event generator app? (SA-Eventgen)
The two first lines from your logs are not related to the Cisco IOS TA.
The other lines are related to event generation - that is the generation of events based on samples. You don't need this in a production environment. Event generation is used in demos, labs and so on.
My advice would be one of the folllowing:
- Check that you have the LATEST version of SA-eventgen
- Delete SA-eventgen
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To my knowledge eventgen.conf is not read when SA-eventgen is disabled so you don't need to delete the file. You could also check if there is a newer version of SA-eventgen around in case you need event generation. If it's the latest version I'll check if something has changed since I created the eventgen configuration file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I removed the first 2 lines from the original post because they weren't relevant.
I am running Splunk version 6.0.3 and I have SA-eventgen on one search heard that is running version 1.1.2. I have deleted the folder SA-eventgen. Should I also delete the file eventgen.conf from the TA-cisco_ios app?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
