Knowledge Management

knowledge bundle replication error

yosoypako
Path Finder

Hello.

 

We are deploying a new search head in our splunk environment. We are using windows 2019 servers as platform. The nearch head is not working. We can see these errors on the indexer:

 

WARN BundleDataProcessor [12404 TcpChannelThread] - Failed to create file E:\Splunk\var\run\searchpeers\[search_head_hostname]-1713866571.e035b54cfcafb33b.tmp\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\ta_microsoft_graph_security_add_on_for_splunk\aob_py2\cloudconnectlib\splunktacollectorlib\data_collection\ta_checkpoint_mng.py while untarring E:\Splunk\var\run\searchpeers\[search_head_hostname]-1713866571.bundle: The system cannot find the path specified.

The file name (including the path) exceeds the limit of 260 characters on  windows OS.

How can we use this addon?

 

Labels (1)
0 Karma
1 Solution

yosoypako
Path Finder

Hello,

 

Now it is working.

This made the trick:

[replicationDenylist]
ms_graph = ...TA-microsoft-graph-security-add-on-for-splunk[/\\]bin[/\\]...

Thanks

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

If the app is installed on the SH, it will be replicated to the indexer UNLESS it is excluded from the bundle.  To exclude files from the bundle, add entries to the [replicationDenyList] stanza in distsearch.conf and restart the SH.

[replicationDenyList]
MSbin = E:\Splunk\etc\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*
---
If this reply helps you, Karma would be appreciated.

yosoypako
Path Finder

Hello.

I have tried different combination of replicationDenyList stanza definition, in all cases it did not work.

with quotes, "apps\TA-microsoft-graph-security-add-on-for-splunk\bin\...", without quotes apps\TA-microsoft-graph-security-add-on-for-splunk\bin\... , with * "apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*", with full path D:\Splunk Search Head\etc\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*, and combinations of them. But nothing, I always got the error:

 Invalid key in stanza [replicationDenyList] in D:\Splunk Search Head\etc\system\local\distsearch.conf, line 29: MSbin (value: apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*).

Do you have a working example of this stanza?

Thanks for your help.

0 Karma

yosoypako
Path Finder

Hello, by same error i mean that after changing the stanza config in distsearch.conf and restarting the service on the sh., there was the Invalid key message on btool but with different value

0 Karma

yosoypako
Path Finder

Hello,

 

Now it is working.

This made the trick:

[replicationDenylist]
ms_graph = ...TA-microsoft-graph-security-add-on-for-splunk[/\\]bin[/\\]...

Thanks

yosoypako
Path Finder

Hello, thanks for your help. 

Until now were using a single deployment of splunk (indexer, search head and data inputs) on the same box. 

Now we have just started to split the roles by deploying a new search head. 

By the search is not working I meant that the service is up and running, we can log on it but the searches are not running. We got this message: 

Unable to distribute to peer named [indexer_splunk_instancename] at uri https://[indexer_ip]:8089 because replication was unsuccessful. ReplicationStatus: Failed - Failure info: failed_because_BUNDLE_DATA_TRANSMIT_FAILURE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. 

On the indexer, on splunkd.log we got these messages: 

File length is greater than 260, File creation may fail.

After reading the doc, I saw the  app is supported on the indexers but it is not required.

If we move this application to one heavy forwarder. It will not be included on the replication bundle between SH and Indexer?

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your first error is deploying Splunk on Windows.   See https://community.splunk.com/t5/Getting-Data-In/What-are-the-pain-points-with-deploying-your-Splunk-...

Please elaborate on "the search head is not working".  What about it is not working?  An error on an indexer does not necessarily mean there's a problem with the SH.

One workaround is to rename the TA so it resides in a directory with a shorter name (by at least 8 characters).  Of course, you will have to maintain that forever.

---
If this reply helps you, Karma would be appreciated.
0 Karma

deepakc
Builder

Have you carefully installed and deployed this add on within your Splunk deployment architecture

Follow the instructions https://splunkbase.splunk.com/app/4564 - click on the link and look for where to install this add on section first.

You would typically be install this onto a heavy forwarder if you are using one and set the inputs up, this would forward the data to the indexers and data will be parsed.

The add is required on the Search Heads for parsing (Knowledge Objects) so needs to be installed there, into the correct path.

So Install everythings as required, configure it and then look at the logs.

If you have already configured as required then this log message indicates something else.

It states "The system cannot find the path specified"

Have you installed it correctly?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...