New issue for me after getting back to try and make this work.
1) I am not able to get splencore.sh to start. It fails at trying to process the pkcs12 file saying that there is a possible password problem. Not using any password.
2) No configuration log is generated.
Currently using Splunk 7.1.3 and FMC 126.96.36.199
The more I dig, it seems that eStreamer (slencore.sh) is assuming that the server is running Python 2.7 in its OS, rather than picking it up from Splunk. When I have looked at the encore.sh script, in the init section, it actually goes out and looks for Python 2.7 'pythonVersion='pybin -V 2>&1 | grep "Python 2.7"'. However, that may not actually get it to use Python 2.7 located in /opt/splunk/bin. Is there a way to change the variable pybin="python" to the actual location of Splunk's python, then it might work.
I tried what you posted. This is what it now looks like
I modified the clean statement so that it looks like what you have.
I still ended up with the same error... "/etc/apps/TA-eStreamer/bin/encore "doesn't exist"
I had updated to TA-eStreamer 3.5.4 hoping that the problem would clear, but it doesn't.
Today, I will try to update Splunk to 7.2.1 hoping for better results, but not holding my breath.
Let me know if I did anything wrong. I can provide the splencore.sh file if you would like to see it.
Thanks for the help.
I had seen similar issue with TA-eStreamer v3.0. So, I fixed the issue by updating the splencore.sh file: [ DougHard can review and add to next version of the TA]. It seems the script is unable to resolve the path, so I had to update them explicitly.
Also, on the clean() stanza, i had to update it to allow the files per available disk space
#configure retention period as needed
if [ "$(ls -A $datafilepath)"]
find ../../data/encore*.log -type f -mmin +120 -delete
Hope this helps.
After all that, I decided to change the relative path "$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore" to the explicit path "/opt/splunk/etc/apps/TA-eStreamer/bin/encore" and I was able to run the test even through it failed. Unfortunately, it started with this message: "This software is currently only compatible with Pyhon 2.7. You are running 2.6.6. I have Splunk running on RHEL 6.9 It started the diagnostic portion anyway, and when it wanted the password for the client.pkcs12, there was this message:
/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/crossprocesslogging/baseClient.py:35: DeprecationWarning: BaseExceptionmessage has been deprecated as of Python 2.6.
I have returned to working on this issue. I am now running Splunk 7.2.0 and FMC 6.3. I uninstalled eStreamer eNcore and reinstalled. I used 3.5.3. I still have the same issue when trying to get eNcore to work. I did notice when I was using the CLI something different that may be a reason why this is failing. When I ran ./splencore.sh test, the error "/etc/apps/TA-eStreamer/bin/encore "doesn't exist". I can see the directory. I opened up the file and found that line 12 establishes the variable for basepath="$SPLUNk_HOME/et/apps/TA-eStreamer/bin/encore".
This is lines 25-32
# change pwd
if [ -d $basepath ]
echo "\"$basepath\" does not exist"
The above if/else statements are also found in the configure.sh script.
Anyone have any ideas how to correct this?