All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting invalid routing group error in splunk cef output.log

prasad_mehta23
Engager
‎05-23-2017 11:16 PM

We have cluster deployment setup. I installed Splunk App for CEF on search head and created a data model and CEF output.
Then exported the add-on and install on Splunk indexer through Cluster-Master. Require firewall and routing is fine. But i am getting below error in cefout.log

DEBUG ARGS: [u'routing=broker']
WARNING Invalid routing group 'broker'

Note:broker is my search name in cef output.

Could anyone let me know , why this invalid routing error appears? Whats its significance? How to fix this?

Reply

DavidH1
Explorer
‎08-01-2017 12:37 PM

I had this exact issue, but I am on a clustered search head and clustered indexer environment. If you run the search command manually (go to Search Head -> Settings -> Searches, Reports, and Alerts -> App: Splunk App for CEF -> Run ) you get the same error as https://answers.splunk.com/answers/538377/splunk-app-for-cef-how-to-resolve-error-search-fac.html -- "Search Factory: Unknown search command 'cefout'".

To fix this I moved the bin folder and the commands.conf to the Splunk_TA_cefout app on the indexers and it resolved my issue.

Reply

abdulaziz_991
Engager
‎06-19-2017 02:42 AM

have same issue

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...