All Apps and Add-ons

Splunk App for CEF 2.0: Is receiving "Invalid routing group" error expected behavior when using "cefout" command?

shftleft
Engager

Hello,

I've installed the Splunk App for CEF 2.0, configured the field mappings and destination syslog server, and pushed the generated TA to the indexers.

When I run the search though that's generated with |cefout my_routing_group the python script is throwing an error that it's an invalid routing group, which makes sense because the only place that group is defined is in the outputs.conf in the TA that's generated to go to the indexers.

Is this expected behavior? I don't see the data going to the /spool directory on the indexer. But, when I change the output group to 'cefroute' it sends the files to the spool directory on the search head. Any insight is appreciated.

0 Karma

hazekamp
Builder

There shouldn't be any errors being thrown. We do WARN if the command is being asked to run on a server where the routing group isn't present:

        # atleast one routing group should exist
        valid = any(group['name'].endswith('stash_cef_%s' % val) for group in input_groups['entry'])
        if valid:
            # store routing group for easy access
            self.routing = val
        else:
            self.logger.warn("Invalid routing group '%s'", val)

This is expected/benign for the Search Head as this will not have the input/output routing groups installed by virtue of Splunk_TA_cefout. If this error is present on any systems which are expected to be forwarding data, then an investigation as to why the configurations are not present must be conducted.

sameeripro
Path Finder

The generated TA has to be extracted twice then you will get a folder which includes files like app,output.... so once you push this folder to indexer it will start forwarding the logs

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...