Splunk Enterprise

Problem with indexer discovery on AIX using Universal Forwarder 8.1.3

las
Contributor

Hi.

I would like to know if anybode else had this issue.

We upgraded our UF on AIX to 8.1.3 from 8.0.4, following the guidelines from Splunk.

We have set outputs.conf to use indexer discovery.

After the upgrade we saw these message:

  • ERROR IndexerDiscoveryHeartbeatThread - Error in Indexer Discovery communication. Verify that the pass4SymmKey set under [indexer_discovery:prod] in 'outputs.conf' matches the same setting under [indexer_discovery] in 'server.conf' on the Cluster Master. [uri=https://xxxx:8089/services/indexer_discovery http_code=502 http_response="OK"]

The pass4SymmKey has not changed during the upgrade.

We changed the configuration to bypass indexer discovery, and that got data flowing into the system again.

 

Kind regards

Lars Søndergaard

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Is your CM already at least level 8.1.3?
How you did your UF upgrade (just upgrade or remove/install)?
r. Ismo
0 Karma

las
Contributor

Hi.

Yes, the CM was upgraded to 8.1.3 prior to the upgrade of the UFs. It was just an upgrade, so no remove.

kind regards

Lars

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Have you try to update pass4SymmKey already? Even it has worked earlier there could be happened something which has corrupted it or change splunk.secret on UF.
0 Karma

las
Contributor

Yes, I did try to update the pass4SymmKey, that didn't work.

It seems this problem is only on the AIX part, we have succesfully upgraded both Linux and Windows so it is not a general bug.

Kind regards

las

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Probably you should raise a ticket to splunk support.
0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...