All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Debugging TA_nix not reporting

bwhite
Engager
‎09-30-2023 04:25 PM

I edited the conf files on my local server before deploying, so I know they are all identical.

I have 5 servers.

I copied the Splunk_TA_nix folder to apps.

3 of the 5 have data showing up for the new "os" index.

splunkd.log, in fact the whole splunk/log folder, didn't have any errors.

But it also didn't have any mention of "idx=os" on the missing servers.

I ran some of the scripts in Splunk_TA_nix/bin in debug mode. No errors.

What log file or index do I check to debug the issue?

Labels (2)
0 Karma
Reply

thahir
Path Finder
‎10-01-2023 04:09 AM

@bwhite have you check the internal logs for the remaining 2 server which is not reporting to splunk

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-01-2023 01:22 AM

Hi @bwhite,

Some checks:

  • have you other logs (e.g. internal or application) from the missing servers?
  • did you check that the TA_nix was correctly deployed to thos servers?
  • did you check that in thos servers the user runnig Splunk has the grants to read files and execute scripts?

Ciao.

Giuseppe

Reply

bwhite
Engager
‎10-15-2023 09:01 PM

Thanks for the reply.

I did finally get back to this issue.
I checked and noticed that the execute permissions were missing from the scripts as you mentioned.

rw-rw-rw-

Adding those permissions helped but something else was still missing that I never found.

I finally solved it by downloading it directly to the server and expanding it there instead of downloading it and unzipping it on my machine first.

Everything magically started working.

Hope that helps,
Brad.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-16-2023 12:59 AM

I suppose you unpacked and re-packed the TA on a windows box. That's typical for windows to mess up with unix permissions so it's not a good idea to - for example - run windows-based deployment server for unix clients.

Anyway, instead of editing files within the app (I hope you edited the local/ files, not the default/ ones) you can create an app with configs overwriting settings from the app. This way it might be more manageable.

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2023 11:06 PM

Hi @bwhite ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...