All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for CEF: How to resolve error "Search Factory: Unknown search command 'cefout'" from indexer cluster peers?

mantod
Engager
‎05-22-2017 03:24 AM

I've installed and configured the Splunk App for CEF 2.0.0 on Splunk Enterprise 6.6.0. I've created a single CEF output and installed the generated cefout add-on to each indexer. It works fine for standalone indexers, but fails on each indexer cluster peer with the error (remote_searches.log):

05-22-2017 10:02:27.446 +0000 ERROR StreamedSearch - sid=remote_ip-{SEARCH HEAD}_rt_scheduler__admin_c3BsdW5rX2FwcF9jZWY__RMD5b4adc662619c6e71_at_1495447345_6, Search Factory: Unknown search command 'cefout'.

I can see the indexers have the command replicated from the search head:

/opt/splunk/var/run/searchpeers/ip-{SEARCH HEAD}-1495445826/apps/splunk_app_cef/bin/cefout.py

I don't understand why they're not using it, given that the non-clustered indexers use the same just fine. What am I missing?

(FYI, I've worked around this problem for now by manually adding the cefout command to the generated cefout bundle. But I want to get to the point where I can use the generated bundle without manual changes, to avoid the chance of user error as administrators make further changes).

Any advice would be greatly appreciated. Thanks.

Reply

hazekamp
Builder
‎01-11-2018 09:13 AM

Be advised that the cefout search command and corresponding commands.conf need not be distributed to the indexer tier. The cefout command and corresponding commands.conf should be distributed to the indexer tier automatically via distributed search bundle replication. The more likely issue here is that something with distributed search bundle replication is not behaving properly.

We're not 100% certain of the root cause at this juncture, but there is at least one report that setting an explicit whitelist for splunk_app_cef files in distsearch.conf can mitigate the issue:

[replicationWhitelist] 
cef = apps[/\\]splunk_app_cef[/\\]...

Update: There's also reports that the error is occurring even when artifacts are properly replicated (and we have a working reproduction of this issue). There is a bug open with Splunk Enterprise pertaining to custom streaming commands not correctly being acquired from the bundle. It would make sense that placing the bin directory and corresponding commands.conf in an app installed directly on the indexer would help mitigate this specific issue.

Update: cefout.py refers to other libraries, so best to just include bin dir

Reply

DavidH1
Explorer
‎08-01-2017 12:38 PM

I had this exact issue, but I am on a clustered search head and clustered indexer environment. I fixed this by moving the splunk_app_cef/bin folder and the splunk_app_cef/default/commands.conf to the Splunk_TA_cefout app on the indexers and it resolved my issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...