Splunk App for Unix and Linux: How to check splunk...

gsrikanth87 · ‎01-27-2015

logfiles: splunkd.log

forwarder side:

01-27-2015 14:12:44.726 -0500 ERROR ArchiveContext - archive writer failure: errno=Broken pipe
01-27-2015 14:12:44.726 -0500 ERROR ArchiveContext - From archive='/opt/splunkforwarder/etc/apps/TA-nmon/var/nmon_repository/bhcx27_150127_1357.nmon':  python: A file or directory in the path name does not exist.

central splunk:

01-27-2015 14:14:32.170 -0500 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/nmon/bin/nmon_helper.sh" which: no nmon in (/opt/splunk/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)

qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
01-27-2015 13:33:32.883 -0500 ERROR HttpListener - Exception while processing request from 10.9.85.4 for /en-US/module/system/Splunk.Module.UnixBubbleGrid/render?sid=1422383610.272&client_app=splunk_app_for_nix: Connection closed by peer

01-27-2015 13:26:49.420 -0500 ERROR HttpListener - Handler for /en-US/module/system/Splunk.Module.UnixResultsTable/render?count=20&offset=0&sid=1422383204.177&client_app=splunk_app_for_nix sent a 0 byte response after earlier claiming a Content-Length of 333!
01-27-2015 13:26:50.978 -0500 ERROR HttpListener - Exception while processing request from 10.9.85.4 for /en-US/module/system/Splunk.Module.UnixResultsTable/render?count=20&offset=0&sid=1422383205.185&client_app=splunk_app_for_nix: Connection closed by peer
01-27-2015 13:26:50.978 -0500 ERROR HttpListener - Handler for /en-US/module/system/Splunk.Module.UnixResultsTable/render?count=20&offset=0&sid=1422383205.185&client_app=splunk_app_for_nix sent a 0 byte response after earlier claiming a Content-Length of 467!

gjanders · ‎07-21-2016

I assume you solved:

01-27-2015 14:12:44.726 -0500 ERROR ArchiveContext - From archive='/opt/splunkforwarder/etc/apps/TA-nmon/var/nmon_repository/bhcx27_150127_1357.nmon':  python: A file or directory in the path name does not exist.

But for anyone else who hits the issue, this will happen if python is not installed (as is typical on AIX servers), the props.conf of the nmon application can be overridden to use the perl interpreter:

[source::.../*.nmon]
unarchive_cmd = $SPLUNK_HOME/etc/apps/TA-nmon/bin/nmon2csv.pl

# To manage repositories archives of cold nmon files (add you own for other compressed formats)
[source::.../*.nmon.gz]
unarchive_cmd = gunzip | $SPLUNK_HOME/etc/apps/nmon/bin/nmon2csv.pl

The above normally defaults to python.

The official documentation for the nmon app is here:
http://nmonsplunk.wikidot.com/

The application itself lives here:
https://splunkbase.splunk.com/app/1753

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

dflodstrom · ‎01-27-2015

To add a forwarder the forwarder manager you must specify the deployment server by executing:

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Configuredeploymentclients

gsrikanth87 · ‎01-27-2015

I have already done these steps. but I cannot see forwarder client in splunk web

malmoore · ‎02-02-2015

Is nmon on your system?

gsrikanth87 · ‎02-03-2015

yes, I have nmon in my server.

Splunk App for Unix and Linux: How to check splunkd.log why I can't I add a forwarder client in splunk GUI after installing a forwarder?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!