Solved: Search Head Cluster Deployer doesn't push ITSI app...

aguilard · ‎12-12-2023

Hello,

I'm trying to install Splunk ITSI 4.17.1 in a Search Head Cluster with Splunk Enterprise 9.1.2.

I already extract the .spl in the directory $SPLUNK_HOME$/etc/shcluster/apps but when I execute the command splunk apply shcluster-bundle it shows that it has deployed everything correctly but when I go to the Search Heads none of the ITSI apps are deployed.

i just made a test deploying another simple app just for testing purposes and it worked.

Do you have any idea?

aguilard · ‎12-13-2023

Ciao @gcusello ,

Maybe I didn't explain myself correctly. I meant that when the deployer moves the apps to /opt/splunk/var/run/splunk/deploy/apps it created the apps with "-local" But i just discovered that it was for a misconfiguration in the app.conf file deploy mode.

I already fixed it and now the SHs have all the ITSI apps on the etc/apps directory.

But I'm facing a new problem, when I start ITSI I got this message

But it has no sense because it is the first installation...

Thanks for your response and time

View solution in original post

gcusello · ‎12-13-2023

Hi @aguilard,

have you error messages on the Deployer?

have you enough disk space on the Deployer? it's required some additional disk space on it.

what's the owner of the folders and files? it must be splunk.

Which user are you using to install and run splunk?

Ciao.

Giuseppe

aguilard · ‎12-13-2023

Hello @gcusello ,

I do not have error messages on the Deployer.

I have plenty of space in the disk of the Deployer, I already checked.

The owner of the files is splunk and it's been installed and ran with user Splunk.

The thing that I noticed 20 minutes ago and I do not why is when the deployer pushes the ITSI apps to /opt/splunk/var/run/splunk/apps it adds at the of the folder the word "-local" and I just checked that in other installations that I manage it doesn't occur.

Thanks for the response

gcusello · ‎12-13-2023

Hi @aguilard,

this path isn't correct, check if you configured in serverclasses.conf the targetRepositoryLocation parameter that's used to configure where to push apps, default is $SPLUNK_HOME/etc/apps.

Ciao.

Giuseppe

aguilard · ‎12-13-2023

Ciao @gcusello ,

Maybe I didn't explain myself correctly. I meant that when the deployer moves the apps to /opt/splunk/var/run/splunk/deploy/apps it created the apps with "-local" But i just discovered that it was for a misconfiguration in the app.conf file deploy mode.

I already fixed it and now the SHs have all the ITSI apps on the etc/apps directory.

But I'm facing a new problem, when I start ITSI I got this message

But it has no sense because it is the first installation...

Thanks for your response and time

gcusello · ‎12-13-2023

Hi @aguilard,

it's avery strange behavior: open a cae t sSplunk Support.

Ciao.

Giuseppe

aguilard · ‎12-16-2023

I fixed the problem simply restarting the cluster and I worked 🙂

Thanks 🙂

gcusello · ‎12-17-2023

Hi @aguilard,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Search Head Cluster Deployer doesn't push ITSI apps

Linux

search head

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...