- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the error that I am getting when deploying to cluster master.
---->splunk@splunklic1:/opt/splunk/etc/master-apps/Splunk_TA_cisco-ise
$ /opt/splunk/bin/splunk apply cluster-bundle
In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered:
Invalid key in stanza [EPS_QuarantineByIPAddress] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 2: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_QuarantineByMAC] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 7: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 12: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_UnquarantineByIPAddress] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 17: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_UnquarantineByMAC] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 22: ise.host (value: 167.10.50.10)
;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_cisco-asa/default/eventgen.conf
;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/default/eventgen.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did some test using Splunk_TA_cisco-ise from https://splunkbase.splunk.com/app/1915/ and here are my recommendations.
1) You can push the bundle using the command below as this command skips the validation during
./splunk apply cluster-bundle --skip-validation
2) Once the bundle is pushed, I noticed that when cluster peers are started, they don't issue any error, so you will be fine.
For this issue found Bug SPL-101630:::Unable to Deploy Splunk_TA_cisco-ise using Cluster Bundle from Cluster Master for this issue to be addressed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
deleting or renaming workflow_actions.conf worked for me.
It's also recommended you delete eventgen.conf before applying to indexer cluster.
http://docs.splunk.com/Documentation/AddOns/latest/Overview/Distributedinstall#collapseDesktop2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did some test using Splunk_TA_cisco-ise from https://splunkbase.splunk.com/app/1915/ and here are my recommendations.
1) You can push the bundle using the command below as this command skips the validation during
./splunk apply cluster-bundle --skip-validation
2) Once the bundle is pushed, I noticed that when cluster peers are started, they don't issue any error, so you will be fine.
For this issue found Bug SPL-101630:::Unable to Deploy Splunk_TA_cisco-ise using Cluster Bundle from Cluster Master for this issue to be addressed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
quick question,
will it keep asking to skip validation after you push the bundle once with this command? I am running into the same issue and do not want to keep having to run the skip-validation command every time. thanks!
