All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk_TA_nix error

jkamdar
Communicator
‎01-21-2025 07:44 AM

I am trying to install Splunk_TA_Nix on my UFs. I am in air-gapped area, so can't copy errors and paste here. 

I followed below steps:

cd $SPLUNK_HOME/etc/apps/
tar xzvf $TMP/Splunk_TA_nix-4.7.0-156739.tgz
mkdir $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local
cp $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/.
vi $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf
chown -R splunkfwd:splunkfwd $SPLUNK_HOME/etc/apps/Splunk_TA_nix

And restarted Splunk

 

I was able to get it working on 2 machines but then on next couple of machines, I am seeing:

-0500 ERROR Configwatcher [32904 SplunkConfigChangeWatcherThread] - File =/opt/splunkforwarder/var/run/splunk/confsnapshot/baseline_default/apps/splunk_TA_nix/default/app.conf not available in baseline directory

-0500 ERROR Configwatcher [32904 SplunkConfigChangeWatcherThread] - Unable to log the changes for path=/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/app.conf

Similar errors for other file name as well, like ._tags.conf and eventtypes.conf. 

It seems like a permission issue but I have compared and permissions on the add-on folder and all files/dirs seems to be just like other UFs where the same add-on is working. 

 

Any help would be appreciated. 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-21-2025 09:07 AM

@jkamdar

Here are the steps to install the Splunk_TA_nix add-on:

1. Download the add-on and place it in the `/tmp` directory or any preferred directory.

2. Extract the contents using the command: `tar -zxvf <.tgz> -C /opt/splunkforwarder/etc/apps`

3. Update the ownership with the command: `chown -R splunk:splunk /opt/splunkforwarder`

4. Restart the Splunk forwarder to apply the changes.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jkamdar
Communicator
‎01-22-2025 12:53 PM

Thanks for your help. I guess, it just needed a clean installation.

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-21-2025 08:01 PM

@jkamdar Please follow this 

https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/Installanixuniversalforwarder 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-21-2025 09:07 AM

@jkamdar

Here are the steps to install the Splunk_TA_nix add-on:

1. Download the add-on and place it in the `/tmp` directory or any preferred directory.

2. Extract the contents using the command: `tar -zxvf <.tgz> -C /opt/splunkforwarder/etc/apps`

3. Update the ownership with the command: `chown -R splunk:splunk /opt/splunkforwarder`

4. Restart the Splunk forwarder to apply the changes.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

jkamdar
Communicator
‎01-21-2025 11:24 AM

Thanks @kiran_panchavat 

So you are suggesting a fresh installation from tgz file. Not sure, why it worked for 2 hosts and now, it won't but I will give it a try. Also, I am assuming command "chown -R splunk:splunk" can be replaced with the "chown -R splunkfwd:splunkfwd", as that's the user name I am running Splunk forwarder with. 

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-21-2025 07:58 PM

@jkamdar 

Yes, please replace the user while using chown. If you still face issues, it might be necessary to check with the OS team to determine if there are any permission-related problems

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...