Splunk Enterprise

Client did not get correct server class in Splunk DS 9.2.0.1

tatdat171
Loves-to-Learn

I am using Splunk Enterprise version 9.2.0.1 ( Upgraded from 9.0.5 to latest).
Before the upgrade, the Splunk deployment server is working as well.

When Splunk DS was upgraded to version 9.2.0.1, we saw issues with the client's server class.
Client name: EC2AMAZ-XXXXX
1. Client in DS server before upgraded (9.0.5)

Splunktatdat171_0-1709004792308.png

Server class: UF_input_WIN, UF_output

2. Client in DS server after upgraded (9.2.0.1)

tatdat171_1-1709005462444.png

Server class: UF_input_Linux, UF_output
The server class "UF_input_Linux" only filters by machine type Linux (see section 3 below). I did not know why this server class is applied to this windows client

3. "UF_input_Linux" Server class configuration

tatdat171_2-1709005764416.png

4. "UF_input_WIN" Server class configuration

Client is listed in the match list on UF_input_WIN server class

tatdat171_3-1709005887700.png

Is that a bug? The filter Machine type does not work correctly. I did not change any thing on server class & app when upgraded Splunk DS.

Does anyone know or meet this issue before? 

Labels (1)
0 Karma

Hardy_0001
Observer

@tatdat171  had you opened up a case with support?

0 Karma

tatdat171
Loves-to-Learn

Yes, I have opened case on Customer support (same time as this post). But they are still troubleshooting.

0 Karma

Hardy_0001
Observer

@tatdat171  I have also recently opened a case with Splunk support and it's in queue, not acknowledge yet. Please let me know if you have any updates/finding. Thank you.

 

0 Karma

Hardy_0001
Observer

@tatdat171  are you able to resolve this issue? checking because we are experiencing same issue.

0 Karma

tatdat171
Loves-to-Learn

Hi @Hardy_0001 , I am still facing with this issue. Could you please help me share your solution?

0 Karma

tatdat171
Loves-to-Learn

Hi @Hardy_0001 , Splunk team confirmed that is a bug on Splunk version 9.2.0.1.
The Splunk Dev team is working on that. We can wait until they release fix version 😄 

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...