before Deployment server and universal forwarder has splunk instances running under same instances. but recently we changes the UF owner to different one. From that point I am not able to deploy -apps to forwarder. It is giving following error.
WARN ClientSessionsManager - ip=10.32.234.75 name=1CF518E3-5DF2-4BC4-AA7C-9B7C37A Updating record for sc=windows_uat app=deploymentclient: action=Download result=Fail checksum=0
WARN ClientSessionsManager - ip=10.32.234.00 name=1CF518E3-5DF2-4BC4-AA7C-9CEF94BA Updating record for sc=windows_uat app=forwarder_outputs: action=Download result=Fail checksum=0
Maybe you were running splunk as admin and now you are running it as a less-privileged user and the old directory is undeletable. The easy way to test is to go to the UF, stop splunk, rename the app (or delete it but be careful about local stuff in local
) and then restart splunk. It should download then and be OK.
is the guid 1CF518E3-5DF2-4BC4-AA7C-9B7C37A the same on the Forwarder and Deployment Server?
Can you elaborate a little? you had 1 instance doing 2 roles a. DS b. Forwarder?
sorry, we had universal forwarder and DS server running on differrent servers but has same owner. But I recently changes the owner of UF in order to give it permissions to read some logfiles. But when the owner of UF changed to different one. The DS unable to deploy the apps to UF. (Apps I tried to deploy already present in UF, so changed the app names in DS and tried to redeploy them-again) giving error as below.
03-25-2017 12:26:07.140 -0500 WARN ClientSessionsManager - ip=10.32.234.60 name=1C518E3-5DF2-4BC4-AA7C-9CEF94B7C37A Updating record for sc=inputs2 app=inputs2: action=Download result=Fail checksum=0
03-25-2017 12:26:07.139 -0500 WARN ClientSessionsManager - ip=10.32.234.60 name=1C518E3-5DF2-4BC4-AA7C-9CEF94B7C37A Updating record for sc=uat app=deploymentclient: action=Download result=Fail checksum=0
I tried to redeploy the apps because , UF not sending any data to the Indexers. Not even the splunkd.log after its owner id change. why changing the owner of UF stopping it to send the data to indexers. Any troubleshooting tips.
YOu've changed the owner id under which splunkd is running. Did you change the splunk file-system ownership (chmod and chown) to have full access to new owner?