All Apps and Add-ons

Why is the Splunk for Cisco Identity Services (ISE) not deploying correctly from the Cluster Master?

Splunk Employee
Splunk Employee

This is the error that I am getting when deploying to cluster master.

---->splunk@splunklic1:/opt/splunk/etc/master-apps/Splunk_TA_cisco-ise
$ /opt/splunk/bin/splunk apply cluster-bundle

In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered:
Invalid key in stanza [EPS_QuarantineByIPAddress] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 2: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_QuarantineByMAC] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 7: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 12: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_UnquarantineByIPAddress] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 17: ise.host (value: 167.10.50.10)
; Invalid key in stanza [EPS_UnquarantineByMAC] in /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 22: ise.host (value: 167.10.50.10)
;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_cisco-asa/default/eventgen.conf
;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_cisco-ise/default/eventgen.conf 
1 Solution

Splunk Employee
Splunk Employee

I did some test using Splunk_TA_cisco-ise from https://splunkbase.splunk.com/app/1915/ and here are my recommendations.

1) You can push the bundle using the command below as this command skips the validation during

./splunk apply cluster-bundle --skip-validation

2) Once the bundle is pushed, I noticed that when cluster peers are started, they don't issue any error, so you will be fine.

For this issue found Bug SPL-101630:::Unable to Deploy Splunk_TA_cisco-ise using Cluster Bundle from Cluster Master for this issue to be addressed.

View solution in original post

New Member

deleting or renaming workflow_actions.conf worked for me.

It's also recommended you delete eventgen.conf before applying to indexer cluster.
http://docs.splunk.com/Documentation/AddOns/latest/Overview/Distributedinstall#collapseDesktop2

0 Karma

Splunk Employee
Splunk Employee

I did some test using Splunk_TA_cisco-ise from https://splunkbase.splunk.com/app/1915/ and here are my recommendations.

1) You can push the bundle using the command below as this command skips the validation during

./splunk apply cluster-bundle --skip-validation

2) Once the bundle is pushed, I noticed that when cluster peers are started, they don't issue any error, so you will be fine.

For this issue found Bug SPL-101630:::Unable to Deploy Splunk_TA_cisco-ise using Cluster Bundle from Cluster Master for this issue to be addressed.

View solution in original post

Contributor

quick question,
will it keep asking to skip validation after you push the bundle once with this command? I am running into the same issue and do not want to keep having to run the skip-validation command every time. thanks!

0 Karma