I'm using Splunk-Light, running it as a non-root user. That part seems to be going fine so far, but I'm having trouble with the "Splunk Add-on for Unix and Linux". When I try to enable something like cpu.sh and click save, it simply says that an error has occurred and to reload the page. Reloading the page doesn't seem to make any difference. I checked the splunk log at $SPLUNK_HOME/var/log/splunk/splunkd.log
but didn't see any errors there about my issue. The log only notes that there is a "New scheduled exec process".
Is this something that has to do with not having root access to the server?
Is there somewhere else I should be looking for more information about this error?
thanks!
typically, in a case like this, i try to run the script by hand w/the effective UID of the same user that owns the splunkd process. If the script(s) are having problems running as non-root (or otherwise), there should be some indication in STDOUT, if not, then splunkd.log should contain some info.
I started on an Splunk trial, then I got a trial license that made it Splunk Enterprise for a while. But we knew we'd be purchasing Splunk Light the whole time. It says "Splunk Light" under the current license on the license page.
Okay, I wonder if something is gummed up with your licensing. Does the UI look like this?
Or is it the classic green Splunk Enterprise look?
I can't see your the picture you linked, but mine is the one that says "splunk>light" and is a sort of orange color. I think you might be right though. Manage accounts says that I am licensed for 4294967295 accounts. IIRC Splunk Light only allows 5.
Okay splunk > light and orange is definitely Splunk Light. 🙂 Sorry about the issue with my images and links, I have reported it to the Splunk Answers team.
So you might have a licensing issue, which might or might not be related to your original question. The Unix add-on ships with Splunk Light and you should be able to enable it locally, without download. If you have a Support agreement in place, I suggest you file a case for this one, because there might be a couple of intertwined issues.
Did you enable it from within Splunk Light (the Splunk Light Add-Ons page, as described here: http://docs.splunk.com/Documentation/SplunkLight/6.2.3/GettingStarted/Configureanadd-ontoadddata ? or did you try to install and configure it manually?
I completely removed the app with the instructions from http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Managingappobjects#Uninstall_an_app_or_add-o... . Then tried to install it from the web app, but get an error of
An error occurred while downloading
the app: [HTTP 404]
https://127.0.0.1:8089/services/apps/remote/entriesbyid/Splunk_TA_nix
Hi,
I will be putting this reply to the posts that I can find. I know it's a late reply to some. But hope this will help you all. And anyone having similar issues in the future.
The issue I will be discussing here is when Splunk update does NOT update from Splunk Web. And when you search for the error you find similar to this:
splunk.ResourceNotFound: [HTTP 404]
Explanation on how really it works:
When you try to update the app Splunk Web makes a call to itself 127.0.0.1 on port 8089 for SplunkD at /services/apps/remote/entriesbyid/<your_app> e.g. ->
https://127.0.0.1:8089/services/apps/remote/entriesbyid/Splunk_TA_windows
which you can check yourself by simple CURL:
curl -k --user "admin:changeme" https://127.0.0.1:8089/services/apps/remote/entriesbyid/Splunk_TA_windows
This call is getting proxied via SplunkD process to the internet which would end up calling https://splunkbase.splunk.com/api/apps/entriesbyid/<your_app>
which you can check yourself by simple CURL:
curl -k https://splunkbase.splunk.com/api/apps/entriesbyid/Splunk_TA_windows
Now the issues here can be numerous from here on. To give some examples:
One of the ways you can check for networking issues for that is do a tcpdump for packet capture and check the SSL Conversation:
tcpdump -i <interface> -s 65535 port 443 -w /tmp/port443.pcap
That's for people who are familiar what packet capture looks like and can understand it's contents.
That is odd. If you are enabling it from within Splunk Light, it shouldn't need to go download it. This sounds more like the Splunk Enterprise workflow. So just to confirm one more time: you are using Splunk Light, not a Splunk Enterprise Trial, Splunk Free, or the free Splunk Cloud trial?