I've just installed the HadoopOps app + dependencies and have some problems getting it to work.
First, opening the "Manage Services" popup throws an exception:
"UnboundLocalError: local variable 'job' referenced before assignment"
Second, the ftr_lookup input does not work. Splunk throws the following exception upon startup:
message from "python /opt/splunk/etc/apps/SA-HadoopOps/bin/scripted_inputs/ftr_lookups.py" splunk.SearchException: Invalid session token: 264afd65bc2120efa7ab3974f42471f8
After running the saved searches referenced in the script all the lookup tables are working.
After fixing the lookup tables, the Home view says:
No matching fields exist
and some searches still don't generate any results ...
Unfortunately the documentation for this app is not very helpful on these issues and there are no (not even unanswered!) questions for HadoopOps in splunkbase. Does anybody even use this app and knows how i can get the errors fixed?
Thanks a lot!
With respect to "Manage Services" modal, it appears the underlying search dispatch for retrieving list of services is failing.
Is it possible you have an older SA-HadoopOps? You can quickly verify by ensuring this file contains the saved search "_retrievelive_components":
Then, try to run it separately by going to:
Search App > Click 'Searches & Report' menu > Click '_retrievelive_components'
where you should expect a list of hosts & services.
If this looks fine, then we need to dig further into what's going on in your specific instance.
Thanks for pointing this out. Irrespective of that search dispatch failure, the exception should be properly handled, and we shall put in appropriate error messaging.
the _retrievelive_components savedsearch exists on my system. running the search manually still gives me "No matching fields exist".
maybe i'm missing some information in my hadoop config that the introspection expects to be there?
This is due to 'table' command, part of _retrievelive_components saved search, listing fields that don't exist.
This leads me to believe it's either a field extraction permissions issue, or more likely, the data of source 'ps' is not making it to splunk.
One place to debug further is macro search
hadoop_ps to see if hadoop java processes are being captured at all.
I redid our Hadoop Setup and tried to setup HadoopOps again and found the issue: I didn't have an admin user, so the passAuth stuff did not work. After creating an admin user everything worked out fine.