All Apps and Add-ons

Resilient-add-on and Search Head Cluster

simony
Path Finder

Hi all

I wanted to ask if Splunk's Resilient add-on is also compatible with a search head cluster? I currently have the problem that the exact same app and configuration works on a standalone search head, but not on a SHC. I receive the following error messages:

01-22-2018 14: 03: 22.531 +0100 WARN sendmodalert - action = resilient - Alert action script returned error code = 1

The connection of the app to the Resilient server works perfectly. that's why it shows me the fields in the alert_action. Could someone help me here? Where can I find more log information, that I can find out what the problem is?

Best Regards,
Yanick

0 Karma

ibmresilient
Path Finder

Hello Yanick,

If you can access the Splunk server, the log files can be found in $SPLUNK_HOME/var/splunk/log. There are 3 log files that might contain useful information:
splunkd.log
resilient.log
python.log

There are several possible causes, without detailed info from the log files:
1. network issue. Please check connectivity from the SHC to the Resilient Server. Also make sure that port 443 is not blocked
2. field mapping issue. If a custom incident field has been added to Resilient Server, the config used by the resilient-add-on needs to be updated as well. So a user needs to re-run the app config on the deployer to get the new config, and then push the new config to all the SHC.

Thanks.

0 Karma

skywalker
New Member

Hello @ibmresilient ,

It's been 2 years but I'm facing this issue and I raised a case to IBM but unfortunately they confirmed that this app is not supported on SHC and they'll upgrade the app for SHC till end of 2021 Q1 . 

I'd like to ask you guys how you manage this app on SHC ?  you may have different workaround for that. 

 

Thanks in advance

 

 

0 Karma