All Apps and Add-ons

Why is the Splunk for Cisco Identity Services (ISE) not deploying correctly from the Cluster Master?

rbal_splunk
Splunk Employee
Splunk Employee

This is the error that I am getting when deploying to cluster master.

---->splunk@splunklic1:/opt/splunk/etc/master-apps/Splunk_TA_cisco-ise
$ /opt/splunk/bin/splunk apply cluster-bundle

In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered:
Invalid key in stanza [EPS_QuarantineByIPAddress] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 2: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_QuarantineByMAC] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 7: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 12: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_UnquarantineByIPAddress] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 17: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_UnquarantineByMAC] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 22: ise.host (value: 167.10.50.10)
;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_cisco-asa/default/eventgen.conf
;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/default/eventgen.conf 
1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

I did some test using Splunk_TA_cisco-ise from https://splunkbase.splunk.com/app/1915/ and here are my recommendations.

1) You can push the bundle using the command below as this command skips the validation during

./splunk apply cluster-bundle --skip-validation

2) Once the bundle is pushed, I noticed that when cluster peers are started, they don't issue any error, so you will be fine.

For this issue found Bug SPL-101630:::Unable to Deploy Splunk_TA_cisco-ise using Cluster Bundle from Cluster Master for this issue to be addressed.

View solution in original post

bamare
New Member

deleting or renaming workflow_actions.conf worked for me.

It's also recommended you delete eventgen.conf before applying to indexer cluster.
http://docs.splunk.com/Documentation/AddOns/latest/Overview/Distributedinstall#collapseDesktop2

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

I did some test using Splunk_TA_cisco-ise from https://splunkbase.splunk.com/app/1915/ and here are my recommendations.

1) You can push the bundle using the command below as this command skips the validation during

./splunk apply cluster-bundle --skip-validation

2) Once the bundle is pushed, I noticed that when cluster peers are started, they don't issue any error, so you will be fine.

For this issue found Bug SPL-101630:::Unable to Deploy Splunk_TA_cisco-ise using Cluster Bundle from Cluster Master for this issue to be addressed.

sbattista09
Contributor

quick question,
will it keep asking to skip validation after you push the bundle once with this command? I am running into the same issue and do not want to keep having to run the skip-validation command every time. thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...