- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Can I delete /opt/splunk/var/run/searchpeers/<...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I delete /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/*?
Hello,
I would like to know if it is safe to delete below on all of our Splunk hosts: /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/java-bin/jars/vendors/spark/3.0.1/lib/
Similar files exist on a lot of our Splunk hosts and we get notifications daily about them because of log4j. So is it safe to delete the above path and similar? It is just replications right?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
check this out it has all the details, i think there were some updated versions in that fixed the vulnerability.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, we have followed the instructions from the link you provided. But it does not mention if it is ok to the splunk_archiver app in /opt/splunk/var/run/searchpeers/<host>-1633305600/*. Is it just replication under /opt/splunk/var/run/searchpeers/<host>-1633305600/* and is it safe to delete it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Our scan has too found log4j vulnerability under the path /opt/splunk/var/run/searchpeers/<host>...
Did you remove those files/folders from the location ?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have not removed them yet. Our Splunk environment is not effected since we do not have DFS enabled. But I am still trying to investigate whether we can delete those files so we don't get notified from the scan. Have you heard anything else?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@erw550 Where you able to succesfully remove /opt/splunk/var/run/searchpeers/<hostname>/apps/splunk_archiver/* without any issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went ahead and removed log4j files from the specified locations. Although I get a Splunk alert which is expected (As per Splunk, it can be ignored), but the scan is clean.
I am planning to follow the same on other Splunk servers.
Here is the URL for reference:
"Upon removal of these jar files, an administrator may see errors at Splunk startup pertaining to file integrity, specific to these jar files. These are expected as you are removing these unused jar files as a workaround. These errors may be ignored. "
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
