All Apps and Add-ons

Debugging TA_nix not reporting

bwhite
Engager

I edited the conf files on my local server before deploying, so I know they are all identical.

I have 5 servers.

I copied the Splunk_TA_nix folder to apps.

3 of the 5 have data showing up for the new "os" index.

splunkd.log, in fact the whole splunk/log folder, didn't have any errors.

But it also didn't have any mention of "idx=os" on the missing servers.

I ran some of the scripts in Splunk_TA_nix/bin in debug mode. No errors.

What log file or index do I check to debug the issue?

Labels (2)
0 Karma

thahir
Path Finder

@bwhite have you check the internal logs for the remaining 2 server which is not reporting to splunk

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bwhite,

Some checks:

  • have you other logs (e.g. internal or application) from the missing servers?
  • did you check that the TA_nix was correctly deployed to thos servers?
  • did you check that in thos servers the user runnig Splunk has the grants to read files and execute scripts?

Ciao.

Giuseppe

bwhite
Engager

Thanks for the reply.

I did finally get back to this issue.
I checked and noticed that the execute permissions were missing from the scripts as you mentioned.

rw-rw-rw-

Adding those permissions helped but something else was still missing that I never found.

I finally solved it by downloading it directly to the server and expanding it there instead of downloading it and unzipping it on my machine first.

Everything magically started working.

Hope that helps,
Brad.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I suppose you unpacked and re-packed the TA on a windows box. That's typical for windows to mess up with unix permissions so it's not a good idea to - for example - run windows-based deployment server for unix clients.

Anyway, instead of editing files within the app (I hope you edited the local/ files, not the default/ ones) you can create an app with configs overwriting settings from the app. This way it might be more manageable.

gcusello
SplunkTrust
SplunkTrust

Hi @bwhite ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...