All Apps and Add-ons

Why should only the Splunk_TA_vmware be deployed on indexers when the default config will generate errors in splunkd ?

guilmxm
Influencer

Hello,

VMWare deployment respecting Splunk deployment matrix will generate error messages in indexers splunkd.log

The deployment of the Splunk add-ons for VMWare generate error messages in splunkd.log due to shared objects from the SA-Hydra and SA-VMNetAppUtils.

The deployment matrix provided by Splunk requests only the deployment of the "Splunk_TA_vmware" on the indexers:

http://docs.splunk.com/Documentation/AddOns/released/VMW/Installationoverview

alt text

However, if both the SA-Hydra and SA-VMNetAppUtils are NOT deployed on the indexers where the Splunk_TA_vmware is deployed, the following message appears in splunkd:

11-13-2017 10:57:14.208 +0000 ERROR ModularInputs - Introspecting scheme=ta_vmware_collection_worker: script running failed (exited with code 1).
11-13-2017 10:57:14.208 +0000 ERROR ModularInputs - Unable to initialize modular input "ta_vmware_collection_worker" defined inside the app "Splunk_TA_vmware": Introspecting scheme=ta_vmware_collection_worker: script running failed (exited with code 1).

Only the deployment of the SAs will fix this situation, OR renaming / deleting the " Splunk_TA_vmware/default/inputs.conf" and "Splunk_TA_vmware/README/ inputs.conf.spec"

Since Splunk is not requesting the deployment of the Support Add-ons, either the deployment matrix must be fixed, either the packages themselves must be fixed such that deploying the Splunk_TA_vmware alone does create this error by default.

STEPS TO REPRODUCE:

  • Follow the deployment guidance for VMWare addons with a distributed architecture including dedicated indexers instances
  • Check splunkd.log on Splunk startup

Many thanks,

jherring_splunk
Splunk Employee
Splunk Employee

I'd like to mention that the latest documentation also requests to install this TA on the search head cluster - http://docs.splunk.com/Documentation/AddOns/released/VMW/Install

From the install guide:

Upload the Splunk Add-on for VMware to your search heads
Stop your Splunk platform instance.
If using a search head cluster, upload SA-Hydra, SA-VMNetAppUtils, Splunk_TA_esxilogs, Splunk_TA_vcenter, and Splunk_TA_vmware to opt/splunk/etc/shcluster/apps/ on the deployer.

In SHC this also produces numerous errors regarding the inability to initialize the modular input. Removal of the inputs.conf and inputs.conf.spec solves this as well.

0 Karma

woodcock
Esteemed Legend

You would be best off asking this same question in the "Comments" section of that documentation page. The docs team ROCKS and will get you a better answer and usually more quickly than we can do here.

0 Karma

guilmxm
Influencer

Hello, thanks for your answer.

Well I don't necessary say that this is a documentation issue, which is why I am asking the question actually.
This could be as well something to improve from the Splunk_TA_vmware.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...