All Apps and Add-ons

Splunk App for *nix not Compatible with Splunk 8.0.0

ProdOps4245
Explorer

The current version of the Splunk App for Nix (v5.2.5 as of 12/11/2019) does not work with Splunk 8.0.0 (The web server will fail to start). Disabling the App is not enough, and it had to be removed via the CLI for the web server to start.

As this is an official supported app, is there any timeline for an update to this app? It does not appear to have been updated in over a year. We use a lot of the alerts native to this app in conjunction with with the Splunk Addon for Linux (Which is updated and supported on Splunk 8.0.0).

Thanks!

Tags (1)

DavidHourani
Super Champion

Hi @ProdOps4245,

Yes, version 6.0.1 of the TA is not supported with Splunk version 8.0.

Make sure you are using version 7.0.0 of the TA as it's the only one supported with Splunk V8.0, you can find it here : https://splunkbase.splunk.com/app/833/

Hope that helps.

Cheers,
David

0 Karma

ProdOps4245
Explorer

We are currently using version 7.0.0 of the Linux TA. The one in question is the Splunk App for Linux (Not Addon)....https://splunkbase.splunk.com/app/273/

0 Karma

DavidHourani
Super Champion

Oh sorry about that, it's not supported either.

From the looks of the error it's got something to do with this : "Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgrades"
The app should be migrated to support Python 3.7 : https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/AboutMigration

0 Karma

ProdOps4245
Explorer

Yeah, looking at the exception thrown, it is definitely related to the Python migration. I figured that was the issue and was more curious when Splunk plans to release an update to this App since it is an official Splunk Built App (and I would assume somewhat popular).

0 Karma

DavidHourani
Super Champion

I agree with you.. should've been released by now.

Try reaching out to support maybe they have something. As a workaround have a look here :
https://answers.splunk.com/answers/777309/splunk-80-upgrade-has-no-web-server-running.html

Maybe also try fixing or removing the /opt/splunk/etc/apps/splunk_app_for_nix/appserver/modules/CFHiddenSearch/CFHiddenSearch.py and see if that's the only thing causing the issue.

0 Karma

BainM
Communicator

Hi ProdOps4245 -
Can you put your splunkd.log file in here from the server that had the web server failure? We need to get some idea/details of the errors around it in order to better answer your question.

Thanks!
Mike

0 Karma

ProdOps4245
Explorer

Here is the log snippet from the web_service.log file showing the failure...Once the Splunk LInux App is removed it starts normally...

2019-12-10 15:55:11,620 ERROR   [5df0062eef7fd399dd1990] root:769 - Unable to start splunkweb
 2019-12-10 15:55:11,620 ERROR   [5df0062eef7fd399dd1990] root:770 - invalid syntax (CFHiddenSearch.py, line 65)
 Traceback (most recent call last):
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py", line 132, in <module>
     from splunk.appserver.mrsparkle.controllers.top import TopController
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/top.py", line 27, in <module>
     from splunk.appserver.mrsparkle.controllers.admin import AdminController
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/admin.py", line 25, in <module>
     from splunk.appserver.mrsparkle.controllers.appinstall import AppInstallController
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/appinstall.py", line 22, in <module>
     from splunk.appserver.mrsparkle.lib import module
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/module.py", line 465, in <module>
     moduleMapper = ModuleMapper()
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/module.py", line 83, in __init__
     self.installedModules = self.getInstalledModules()
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/module.py", line 28, in helper
     return f(*a, **kw)
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/module.py", line 448, in getInstalledModules
     mods = self.getModuleList(root)
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/module.py", line 37, in helper
     return f(*a, **kw)
   File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/module.py", line 223, in getModuleList
     mod = __import__(modname)
   File "/opt/splunk/etc/apps/splunk_app_for_nix/appserver/modules/CFHiddenSearch/CFHiddenSearch.py", line 65
     except splunk.ResourceNotFound, e:
                                   ^
 SyntaxError: invalid syntax
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...