Splunk Enterprise Security
Highlighted

Splunk Enterprise Security 5.0 warning messages

Explorer

Hi,
Newbie here. We recently had professional services setup and installed Splunk a few months back. It's been running fine until recently.
On our Splunk Enterprise Security server, we have the following messages:
3/27/2018, 10:29:55 AM
Search peer splunkentsec01 has the following message: Health Check: msg="A script is in an unknown state" input="../bin/collector.path" stanza="default" Learn more.

3/27/2018, 10:29:55 AM
Search peer splunkentsec01 has the following message: Health Check: msg="A script is in an unknown state" input="./opt/splunk/etc/apps/SA-Utils/bin/configurationcheck.py" stanza="configurationcheck://confcheckesmigratereviewstatustransitions

It is then followed by messages stating that our three Indexers do not meet minimum system requirements which I do not believe is the case.
Search peer splunkentsec01 has the following message: Health Check: The list of indexes to be searched by default by the admin role on Splunk server "splunkentsec01" includes all non-internal indexes which might cause performance problems. Learn more.

3/27/2018, 10:29:55 AM
Search peer splunkentsec01 has the following message: Health Check: Splunk server "splunkindexer03" does not meet the recommended minimum system requirements. Learn more.

3/27/2018, 10:29:55 AM
Search peer splunkentsec01 has the following message: Health Check: Splunk server "splunkentsec01" does not meet the recommended minimum system requirements. Learn more.

3/27/2018, 10:29:55 AM
Search peer splunkentsec01 has the following message: Health Check: Splunk server "splunkindexer01" does not meet the recommended minimum system requirements. Learn more.

3/27/2018, 10:29:55 AM
Search peer splunkentsec01 has the following message: Health Check: Splunk server "splunkindexer02" does not meet the recommended minimum system requirements. Learn more.

The "learn more" links did lead me to a KB article. But it seems more to do with suppressing the messages than actually determining the root cause and fixing the problem.

Any guidance and help would be appreciated.
Thanks in advance.

0 Karma
Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Splunk Employee
Splunk Employee

Those messages might have been suppressed before the upgrade, and are now showing up because the method of displaying the messages changed. If your indexers meet the minimum system requirements listed on the page linked from the message, then those messages can be ignored (and might be getting displayed in error). The three messages should lead to three separate documentation pages about how to mitigate the issues, and only how to suppress if needed.

0 Karma
Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Explorer

Hi,
I don't think we performed an upgrade. It was a clean install of 6.5 from the ground up. Everything was fine until recently.

The link pages explains how to suppress the messages. But one of the questions I have is doesn't it defeat the purpose by suppressing the messages? I was hoping we can find the root cause of the actual problem and fix it.

Thank you for your input and your response!

0 Karma
Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Path Finder

Good morning guys. I too upgraded ESS to 5.0 and suddenly started receiving the same alerts that KWOKKAL is receiving. Was not receiving the alerts prior to the upgrade.I am suppressing the messages for now because they are getting outrageous, and my Indexers also meet/exceed the necessary requirements.

0 Karma
Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Path Finder

Hi,
I'm wondering if Splunk has a concrete solution to this. I as well would not only like to suppress the messages. I would like to know if these messages are false positive readings or not. If true, how do I resolve? Here is an example of one of the messages I received today: 'Health Check: msg="A script is in an unknown state" input="../bin/collector.path" stanza="default"'.

Thanks Splunkers

0 Karma
Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Splunk Employee
Splunk Employee

If you click on the link in the message it should take you to a documentation page that will help you troubleshoot the errors.

0 Karma
Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Explorer

Hi,
I believe there is a workaround in place and it's suppose to be a "known workaround".
Please reference this link: https://docs.splunk.com/Documentation/ES/5.0.0/RN/KnownIssues

In the link, please reference "Issue Number SOLNESS-14947, SOLNESS-15058"

By making the change, it seems to help resolve the warnings.
Hope this helps.

Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Path Finder

Thank you kwokkal. I searched in Splunk web for the "Audit - Script Errors" search string. I then modified and saved it according to the workaround suggested in SOLNESS-14947, SOLNESS-15058. Hopefully I've done that correctly and I didn't break Splunk. We will find out soon!

0 Karma
Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Explorer

Cool! Let me know if the workaround works for you as it did for me. I would be interested in knowing the workaround is for multiple environments.

0 Karma
Highlighted

Re: Splunk Enterprise Security 5.0 warning messages

Path Finder

@kwokkal, unfortunately that did not work for me even though I didn't break Splunk so I may not have effected the workaround correctly. Did you do it the same way I did or was there some other way you performed the workaround?

0 Karma