All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Resilient-add-on and Search Head Cluster

simony
Path Finder
‎01-22-2018 06:22 AM

Hi all

I wanted to ask if Splunk's Resilient add-on is also compatible with a search head cluster? I currently have the problem that the exact same app and configuration works on a standalone search head, but not on a SHC. I receive the following error messages:

01-22-2018 14: 03: 22.531 +0100 WARN sendmodalert - action = resilient - Alert action script returned error code = 1

The connection of the app to the Resilient server works perfectly. that's why it shows me the fields in the alert_action. Could someone help me here? Where can I find more log information, that I can find out what the problem is?

Best Regards,
Yanick

0 Karma
Reply

ibmresilient
Path Finder
‎01-22-2018 08:23 AM

Hello Yanick,

If you can access the Splunk server, the log files can be found in $SPLUNK_HOME/var/splunk/log. There are 3 log files that might contain useful information:
splunkd.log
resilient.log
python.log

There are several possible causes, without detailed info from the log files:
1. network issue. Please check connectivity from the SHC to the Resilient Server. Also make sure that port 443 is not blocked
2. field mapping issue. If a custom incident field has been added to Resilient Server, the config used by the resilient-add-on needs to be updated as well. So a user needs to re-run the app config on the deployer to get the new config, and then push the new config to all the SHC.

Thanks.

0 Karma
Reply

skywalker
Observer
‎11-25-2020 05:16 AM

Hello @ibmresilient ,

It's been 2 years but I'm facing this issue and I raised a case to IBM but unfortunately they confirmed that this app is not supported on SHC and they'll upgrade the app for SHC till end of 2021 Q1 . 

I'd like to ask you guys how you manage this app on SHC ?  you may have different workaround for that. 

 

Thanks in advance

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...