All Apps and Add-ons
Highlighted

Installation cacti splunk cluster

Path Finder

regards

    Currently, you try to install the app in a cluster environment, 3 search head and 6 indexer, but at the time of deploy and bundle, from the search head the following message is displayed:

[splunk-indexer-01-cnt] Streamed search execute failed because: Error in 'SearchParser': The search specifies a macro 'cacti_index' that can not be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

    This message appears for each indexer.

    Is there any recommendation and configuration in the search head and indexer? All permissions have been enabled for cacti macros and we have not had favorable answers.

    I hope you can help me.

0 Karma
Highlighted

Re: Installation cacti splunk cluster

Splunk Employee
Splunk Employee

I would imagine that the macro doesn't exist on the indexers, or the permissions on the macro might be wrong?

Was the the app pushed to the indexer cluster?

When you are running your search, which app are you in?? Check if the macro permissions are global:

alt text

Its appears global in my instance.

the macro is technically not mandatory for your searches either, was just bet practice to allow the users to change it, so you could technically just not use it as well.

hit me up on slack if you are in the chat (splk.it/slack to sign up), I'm @mattymo

Highlighted

Re: Installation cacti splunk cluster

Path Finder

Thanks for the prompt response.

The macro currently exists in each indexer and the write permissions have been modified in the same way, the write and read permissions of the .conf have also been modified, thinking about the possibility that these files could be interfering

alt text

alt text

0 Karma
Highlighted

Re: Installation cacti splunk cluster

Path Finder

the app is in the indexer and deployed in the search head, the strange thing is that in the index cacti there is information and from the search head there are errors but in the indexer no, but there is no information

indexer
alt text

Search head
alt text

0 Karma
Highlighted

Re: Installation cacti splunk cluster

Path Finder

alt text

0 Karma
Highlighted

Re: Installation cacti splunk cluster

Splunk Employee
Splunk Employee

so, you have GUI access to your indexer cluster members?

What happens when you search with the macro in search and reporting app on the indexer?

what happens when you search index=cacti on the indexer?

can you get cli on the indexer and double check $SPLUNK_HOME/etc/apps/Splunk_TA_Cacti/default/macros.conf and see what is in there?

Also be sure that the cacti index you created in present on the indexers too. As per our splunkbase docs:

This TA can be deployed to the indexer without any further changes.
It is recommended to create a new index called cacti. An indexes.conf file is not included with this TA.

The miragelookupbuild search relies on the the scripted input that needs to run and send us sourcetype=cacti:lookup:mirage. Are you seeing any of that? If not, go to the forwarder running on Cacti and check $SPLUNK_HOME/etc/apps/Splunk_TA_Cacti/default/inputs

[script://./bin/cacti_lookup_mirage.py /usr/share/cacti]
source = cacti_lookup_mirage.py
disabled = true
index = cacti
sourcetype = cacti:lookup:mirage
interval = 0 6 * * *
#interval = 86400
0 Karma
Highlighted

Re: Installation cacti splunk cluster

Path Finder

What happens when you search with the macro in search and reporting app on the indexer?

  A: do not know the use of macros but I think the query would be like this:


sourcetype = cacti: lookup: mirage | cacti_index

warning Search Factory: Unknown search command 'index'.


what happens when you search index = cacti on the indexer?

A: There are currently events and can be viewed from the indexers like the search head index = cacti

can you get cli on the indexer and double check $ SPLUNKHOME / etc / apps / SplunkTA_Cacti / default / macros.conf and see what is in there?

R: being a cluster distribution, I only see that the following files are inside the route

$ SPLUNKHOME / etc / apps / SplunkTA_Cacti /
    local
    > eventtypes.conf
    metadata
    > local.meta

0 Karma
Highlighted

Re: Installation cacti splunk cluster

Splunk Employee
Splunk Employee

you search the with the marco with backticks around the marco name - `cacti_index`- simply put this in your search bar, not after any pipes etc.

sounds like your index is good to go and you are receiving the mirage_poller_output.log properly. so that is good.

on your cluster members you should have $SPLUNK_HOME/etc/apps/Splunk_TA_Cacti/defaultthat contains the macro definition. it can be in local too if you want, but if you dont have a macros.conf in the Splunk_TA_Cacti app on the clustered indexers, that is your problem

0 Karma
Highlighted

Re: Installation cacti splunk cluster

Path Finder

with respect to just putting cacti_index in the search, splunk shows the information.

with respect to which the files are not in the indexer, but is it necessary that they be there? the app was deployed just so that the index = cacti was replicated to the 6 indexer ... or should only be deployed in the search head ?, the documentation only says that certain configurations must be created or modified depending on the need or UF or SH ..

with respect to the configurations from the Universal Forwarder, they are fine since the information is being indexed.

0 Karma
Highlighted

Re: Installation cacti splunk cluster

Path Finder

to perform a further test, the entire default folder is copied to an index and the error message continues to appear.

0 Karma