I wanted to ask if Splunk's Resilient add-on is also compatible with a search head cluster? I currently have the problem that the exact same app and configuration works on a standalone search head, but not on a SHC. I receive the following error messages:
The connection of the app to the Resilient server works perfectly. that's why it shows me the fields in the alert_action. Could someone help me here? Where can I find more log information, that I can find out what the problem is?
If you can access the Splunk server, the log files can be found in $SPLUNK_HOME/var/splunk/log. There are 3 log files that might contain useful information:
There are several possible causes, without detailed info from the log files:
1. network issue. Please check connectivity from the SHC to the Resilient Server. Also make sure that port 443 is not blocked
2. field mapping issue. If a custom incident field has been added to Resilient Server, the config used by the resilient-add-on needs to be updated as well. So a user needs to re-run the app config on the deployer to get the new config, and then push the new config to all the SHC.