All Apps and Add-ons

Why am I getting strange errors on Indexers after upgrading the App for Windows Infrastructure to 1.4.3?

spraus
Explorer

Hello everyone,

After completing an upgrade on all my splunk servers. My two indexers are throwing the following errors during every search... I am unsure but the top error might actually be the same thing on my search head. I have been unable to find any information on what this could be.

3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.

Expanding ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error)) failed due to cycle detected when expanding eventtype=wineventlog-dns

[INDEX_SERVER_01] Expanding ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error)) failed due to cycle detected when expanding eventtype=wineventlog-dns

[INDEX_SERVER_02] Expanding ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error)) failed due to cycle detected when expanding eventtype=wineventlog-dns

To go along with this I am also now getting 404 errors on all pages from the Windows Infrastructure App (".../en-US/app/splunk_app_windows_infrastructure/")

I have tried reinstalling the app several times (both with and without my local changes) to no avail. When I attempt to look at the search string that is provided to get "more information" the search comes back empty. (Example search string: index=_internal host="Index_Server_01]" source=*web_service.log log_level=ERROR requestid=5a7367508d2eb6b60eb8)

Thank you all in advance;
Stephen M. Praus

0 Karma
1 Solution

spraus
Explorer

Ok... Looks like I found it:

To start I didn't realize that I had upgraded the Active Directory Add-On at the same time. After removing both add-ons completely from all servers. Restarting and installing the AD add-on, I was able to reconfigure the AD add-on completely. Once that was finished I reinstalled the Windows Infrastructure add-on and completely rebuilt the entire configuration and lookup tables.
After peering into my previous files it looks like the configuration that is generated upon installation of the Windows Infrastructure add-on is not compatible with the upgrade. I am unsure if this is only for myself or for anyone upgrading but it was a pretty simple fix once I found the root cause of the issue.

Thank you all and sorry for tripping over my own answer after asking for help!

Stephen

View solution in original post

0 Karma

spraus
Explorer

Ok... Looks like I found it:

To start I didn't realize that I had upgraded the Active Directory Add-On at the same time. After removing both add-ons completely from all servers. Restarting and installing the AD add-on, I was able to reconfigure the AD add-on completely. Once that was finished I reinstalled the Windows Infrastructure add-on and completely rebuilt the entire configuration and lookup tables.
After peering into my previous files it looks like the configuration that is generated upon installation of the Windows Infrastructure add-on is not compatible with the upgrade. I am unsure if this is only for myself or for anyone upgrading but it was a pretty simple fix once I found the root cause of the issue.

Thank you all and sorry for tripping over my own answer after asking for help!

Stephen

0 Karma

spraus
Explorer

As another troubleshooting note, I have checked and verified the file permissions on the splunk server to ensure there is no access denied issues going on.

Thanks Again!
Stephen

0 Karma

spraus
Explorer

PS Thank you to the moderator whom edited my question for both clarity and markup... As you may see from my account, I'm a little new to this.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...