All Apps and Add-ons

Why am I getting strange errors on Indexers after upgrading the App for Windows Infrastructure to 1.4.3?

spraus
Explorer

Hello everyone,

After completing an upgrade on all my splunk servers. My two indexers are throwing the following errors during every search... I am unsure but the top error might actually be the same thing on my search head. I have been unable to find any information on what this could be.

3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.

Expanding ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error)) failed due to cycle detected when expanding eventtype=wineventlog-dns

[INDEX_SERVER_01] Expanding ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error)) failed due to cycle detected when expanding eventtype=wineventlog-dns

[INDEX_SERVER_02] Expanding ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error)) failed due to cycle detected when expanding eventtype=wineventlog-dns

To go along with this I am also now getting 404 errors on all pages from the Windows Infrastructure App (".../en-US/app/splunk_app_windows_infrastructure/")

I have tried reinstalling the app several times (both with and without my local changes) to no avail. When I attempt to look at the search string that is provided to get "more information" the search comes back empty. (Example search string: index=_internal host="Index_Server_01]" source=*web_service.log log_level=ERROR requestid=5a7367508d2eb6b60eb8)

Thank you all in advance;
Stephen M. Praus

0 Karma
1 Solution

spraus
Explorer

Ok... Looks like I found it:

To start I didn't realize that I had upgraded the Active Directory Add-On at the same time. After removing both add-ons completely from all servers. Restarting and installing the AD add-on, I was able to reconfigure the AD add-on completely. Once that was finished I reinstalled the Windows Infrastructure add-on and completely rebuilt the entire configuration and lookup tables.
After peering into my previous files it looks like the configuration that is generated upon installation of the Windows Infrastructure add-on is not compatible with the upgrade. I am unsure if this is only for myself or for anyone upgrading but it was a pretty simple fix once I found the root cause of the issue.

Thank you all and sorry for tripping over my own answer after asking for help!

Stephen

View solution in original post

0 Karma

spraus
Explorer

Ok... Looks like I found it:

To start I didn't realize that I had upgraded the Active Directory Add-On at the same time. After removing both add-ons completely from all servers. Restarting and installing the AD add-on, I was able to reconfigure the AD add-on completely. Once that was finished I reinstalled the Windows Infrastructure add-on and completely rebuilt the entire configuration and lookup tables.
After peering into my previous files it looks like the configuration that is generated upon installation of the Windows Infrastructure add-on is not compatible with the upgrade. I am unsure if this is only for myself or for anyone upgrading but it was a pretty simple fix once I found the root cause of the issue.

Thank you all and sorry for tripping over my own answer after asking for help!

Stephen

0 Karma

spraus
Explorer

As another troubleshooting note, I have checked and verified the file permissions on the splunk server to ensure there is no access denied issues going on.

Thanks Again!
Stephen

0 Karma

spraus
Explorer

PS Thank you to the moderator whom edited my question for both clarity and markup... As you may see from my account, I'm a little new to this.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...