Getting Data In

/opt/ee_splunk/splunk/etc/apps/splunk_essentials_8_2/default/app.conf' changed. in SHC

btshivanand
Path Finder

Hi all

Some how splunk_essentials_8_2 directopry got removed from this directory /opt/splunk/etc/apps .later i replicated this directory from other instance.But i see the below error.can some one help with this.

Validating installed files against hashes from '/opt/ee_splunk/splunk/splunk-8.2.0-e053ef3c985f-linux-2.6-x86_64-manifest'
File '/opt/ee_splunk/splunk/etc/apps/splunk_essentials_8_2/default/app.conf' changed.
Problems were found, please review your files and move customizations to local

 

 

 

Labels (1)
0 Karma

Losde
Splunk Employee
Splunk Employee

This is a known issue reported in this version, please verify the following information: SPL-208259, SPL-210931, SPL-211811
https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/KnownIssues

Workaround:
Copy splunk_essentials_8_2 into the deployer's $SPLUNK_HOME/etc/shcluster/apps.

0 Karma

Forseti_
Engager

I am having a similar issue but in my case the complete app gets removed from all shc members. I feel like removing the hash is more of a hack than a solution.

This is a default app that shouldn't be removed; seems like a bug to me.

0 Karma

aledantas2k12
Explorer

Hi mate.

It's the same issue. The whole app gets removed from all SHC members. It's a hack indeed, but only solution since the app got removed and there is no way to put it back without changing the hash.

Indeed. It's a bug...

codebuilder
Influencer

Instead of copying the directory over from another SH you should re-deploy the app via deployer.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

aledantas2k12
Explorer

Just delete following line: '/opt/ee_splunk/splunk/etc/apps/splunk_essentials_8_2/default/app.conf
From the splunk manifest in /opt/ee_splunk/splunk

Sometimes Apps created during the installation ( The ones that splunk keeps a manifest), if they get pushed by the SHC deployer,  the checksum can get modified when the members get it.

I had the same issue with this App and the only way I could get it working was by deleting the record...

The App booked a one way flight to Belize when I created the Search Head Cluster. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...