Installing the Splunk App and Add-on for Unix and Linux in my search head cluster, why am I unable add categories/groups?


I installed the Splunk App for Unix and Linux 5.0.2 on my search head cluster. Installed the SA-nix app on the search heads and indexers, and deployed the Splunk Add-on for Unix and Linux everywhere.

Now when I try to go into setup to add categories/groups, I create a category, then add a group to it ... and immediately the app starts spinning on 'loading' (in the "Hosts not in" area). It never ends. I assumed that was related to the dynamically created dropdowns.csv but I'm not positive. On the indexers, dropdowns.csv does get created when Splunk is restarted, but it doesn't really represent every host that would be sending data to my indexing pool.

On the search heads, I tried manually generating my own dropdowns.csv, that prepopulated categories and groups with hosts.

But ultimately, the search heads started complaining like mad about stuff not being on the indexers.

I have since removed SA-nix from everywhere.

My question would be .. does this sound familiar, or is there more detailed documentation about these lookups that the app is dependent on and how to ensure that they're all available?

Support for SHC for the NIX App is currently in progress but isn't available as of yet.