I get this error when I try to run the splencore.sh scripts in the eStreamer eNcore app. I found that it is trying to import a module for the eStreamer eNcore preflight checks. This is holding up the app from starting up.
Does anyone have any ideas how to correct this issue?
Thank you.
The splencore scripts will only run when run by Splunk itself - they're not designed to be run directly by the user. (They rely on environment variables specific to the Splunk user).
Navigate to app settings in Splunk – from the home page, click the “cog” icon
Find Cisco eStreamer eNcore for Splunk and click “Set-up”
At a minimum:
Each time you load this page, “Process PKCS12 file” is reset to “no” and the password is not saved. It used once to process the PKCS12 file using openSSL and store a public-private key pair.
Now enable the data inputs in Splunk.
Navigate to Settings > Data Inputs > Files & Directories
and enable the single TA-eStreamer app input (cisco:estreamer:data) – this is the where the main output data files are saved
Now navigate to Settings > Data Inputs > Scripts
and enable the three TA-eStreamer inputs:
Finally, once you have fully configured the collector and enabled the inputs, navigate back to the set-up page in app settings, enable eNcore (“is enabled?”) and press save.
To check the status, search for sourcetype="cisco:estreamer:status"
To check more detailed log output, search for sourcetype="cisco:estreamer:log"
To look for eStreamer data, search for sourcetype=" cisco:estreamer:data"