All Apps and Add-ons

Is it possible to use the Splunk Add-on for Unix and Linux on Splunk Light without root access?

neilnorman
Engager

I'm using Splunk-Light, running it as a non-root user. That part seems to be going fine so far, but I'm having trouble with the "Splunk Add-on for Unix and Linux". When I try to enable something like cpu.sh and click save, it simply says that an error has occurred and to reload the page. Reloading the page doesn't seem to make any difference. I checked the splunk log at $SPLUNK_HOME/var/log/splunk/splunkd.log but didn't see any errors there about my issue. The log only notes that there is a "New scheduled exec process".

Is this something that has to do with not having root access to the server?

Is there somewhere else I should be looking for more information about this error?

thanks!

0 Karma

jterry
Splunk Employee
Splunk Employee

typically, in a case like this, i try to run the script by hand w/the effective UID of the same user that owns the splunkd process. If the script(s) are having problems running as non-root (or otherwise), there should be some indication in STDOUT, if not, then splunkd.log should contain some info.

0 Karma

neilnorman
Engager

I started on an Splunk trial, then I got a trial license that made it Splunk Enterprise for a while. But we knew we'd be purchasing Splunk Light the whole time. It says "Splunk Light" under the current license on the license page.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Okay, I wonder if something is gummed up with your licensing. Does the UI look like this?

Splunk Light licensing
(http://imgur.com/lTQcdKk)

Or is it the classic green Splunk Enterprise look?

Splunk Enterprise licensing
(http://i.imgur.com/HwpYf1y)

0 Karma

neilnorman
Engager

I can't see your the picture you linked, but mine is the one that says "splunk>light" and is a sort of orange color. I think you might be right though. Manage accounts says that I am licensed for 4294967295 accounts. IIRC Splunk Light only allows 5.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Okay splunk > light and orange is definitely Splunk Light. 🙂 Sorry about the issue with my images and links, I have reported it to the Splunk Answers team.

So you might have a licensing issue, which might or might not be related to your original question. The Unix add-on ships with Splunk Light and you should be able to enable it locally, without download. If you have a Support agreement in place, I suggest you file a case for this one, because there might be a couple of intertwined issues.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Did you enable it from within Splunk Light (the Splunk Light Add-Ons page, as described here: http://docs.splunk.com/Documentation/SplunkLight/6.2.3/GettingStarted/Configureanadd-ontoadddata ? or did you try to install and configure it manually?

neilnorman
Engager

I completely removed the app with the instructions from http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Managingappobjects#Uninstall_an_app_or_add-o... . Then tried to install it from the web app, but get an error of

An error occurred while downloading
the app: [HTTP 404]
https://127.0.0.1:8089/services/apps/remote/entriesbyid/Splunk_TA_nix

0 Karma

dtsariapkin
Splunk Employee
Splunk Employee

Hi,

I will be putting this reply to the posts that I can find.  I know it's a late reply to some. But hope this will help you all.  And anyone having similar issues in the future.

The issue I will be discussing here is when Splunk update does NOT update from Splunk Web. And when you search for the error you find similar to this:
splunk.ResourceNotFound: [HTTP 404]
 

Explanation on how really it works:

When you try to update the app Splunk Web makes a call to itself 127.0.0.1 on port 8089 for SplunkD   at /services/apps/remote/entriesbyid/<your_app> e.g. ->

 https://127.0.0.1:8089/services/apps/remote/entriesbyid/Splunk_TA_windows

which you can check yourself by simple CURL:

curl -k --user "admin:changeme" https://127.0.0.1:8089/services/apps/remote/entriesbyid/Splunk_TA_windows

 

This call is getting proxied via SplunkD process to the internet which would end up calling  https://splunkbase.splunk.com/api/apps/entriesbyid/<your_app>
 

which you can check yourself by simple CURL:

curl -k  https://splunkbase.splunk.com/api/apps/entriesbyid/Splunk_TA_windows

 

Now the issues here can be numerous from here on. To give some examples:

  1. Splunk has issues accessing internet from SplunkD process
  2. Certificate chain was changed. By default it is configured in server.conf
    [applicationsManagement]
    sslVerifyServerCert = false
  3. Proxy and/or Firewall in the middle which is changing certificates.

One of the ways you can check for networking issues for that is do a tcpdump for packet capture and check the SSL Conversation:
tcpdump -i <interface> -s 65535 port 443 -w /tmp/port443.pcap

That's for people who are familiar what packet capture looks like and can understand it's contents.

Dmitrii T.
0 Karma

ChrisG
Splunk Employee
Splunk Employee

That is odd. If you are enabling it from within Splunk Light, it shouldn't need to go download it. This sounds more like the Splunk Enterprise workflow. So just to confirm one more time: you are using Splunk Light, not a Splunk Enterprise Trial, Splunk Free, or the free Splunk Cloud trial?

Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...