All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk_TA_nix error

jkamdar
Communicator
‎01-21-2025 07:44 AM

I am trying to install Splunk_TA_Nix on my UFs. I am in air-gapped area, so can't copy errors and paste here. 

I followed below steps:

cd $SPLUNK_HOME/etc/apps/
tar xzvf $TMP/Splunk_TA_nix-4.7.0-156739.tgz
mkdir $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local
cp $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/.
vi $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf
chown -R splunkfwd:splunkfwd $SPLUNK_HOME/etc/apps/Splunk_TA_nix

And restarted Splunk

 

I was able to get it working on 2 machines but then on next couple of machines, I am seeing:

-0500 ERROR Configwatcher [32904 SplunkConfigChangeWatcherThread] - File =/opt/splunkforwarder/var/run/splunk/confsnapshot/baseline_default/apps/splunk_TA_nix/default/app.conf not available in baseline directory

-0500 ERROR Configwatcher [32904 SplunkConfigChangeWatcherThread] - Unable to log the changes for path=/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/app.conf

Similar errors for other file name as well, like ._tags.conf and eventtypes.conf. 

It seems like a permission issue but I have compared and permissions on the add-on folder and all files/dirs seems to be just like other UFs where the same add-on is working. 

 

Any help would be appreciated. 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-21-2025 09:07 AM

@jkamdar

Here are the steps to install the Splunk_TA_nix add-on:

1. Download the add-on and place it in the `/tmp` directory or any preferred directory.

2. Extract the contents using the command: `tar -zxvf <.tgz> -C /opt/splunkforwarder/etc/apps`

3. Update the ownership with the command: `chown -R splunk:splunk /opt/splunkforwarder`

4. Restart the Splunk forwarder to apply the changes.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jkamdar
Communicator
‎01-22-2025 12:53 PM

Thanks for your help. I guess, it just needed a clean installation.

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-21-2025 08:01 PM

@jkamdar Please follow this 

https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/Installanixuniversalforwarder 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-21-2025 09:07 AM

@jkamdar

Here are the steps to install the Splunk_TA_nix add-on:

1. Download the add-on and place it in the `/tmp` directory or any preferred directory.

2. Extract the contents using the command: `tar -zxvf <.tgz> -C /opt/splunkforwarder/etc/apps`

3. Update the ownership with the command: `chown -R splunk:splunk /opt/splunkforwarder`

4. Restart the Splunk forwarder to apply the changes.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

jkamdar
Communicator
‎01-21-2025 11:24 AM

Thanks @kiran_panchavat 

So you are suggesting a fresh installation from tgz file. Not sure, why it worked for 2 hosts and now, it won't but I will give it a try. Also, I am assuming command "chown -R splunk:splunk" can be replaced with the "chown -R splunkfwd:splunkfwd", as that's the user name I am running Splunk forwarder with. 

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-21-2025 07:58 PM

@jkamdar 

Yes, please replace the user while using chown. If you still face issues, it might be necessary to check with the OS team to determine if there are any permission-related problems

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...