Splunk Search

Why error in parsing pass4SymmKey under shclustering stanza?

vibh458
New Member

While pushing the application from deployment server to search head1 it gives me this error after entering the below command.

./splunk apply shcluster-bundle -target https://172.31.14.82:8089

Help me to sort this issue

 

[root@ip-172-31-3-3 bin]# ./splunk apply shcluster-bundle -target https://172.31.14.82:8089
Warning: Depending on the configuration changes being pushed, this command might initiate a rolling restart of the cluster members. Please refer to the documentation for the details. Do you wish to continue? [y/n]: y
WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.
Your session is invalid. Please login.
Splunk username: admin
Password:
\Error in parsing pass4SymmKey under shclustering stanza.

Labels (1)
Tags (3)
0 Karma

vibh458
New Member

vibh458_0-1665780210751.png

Tell me if any thing wrong in SH1 server.conf

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As you can see, you don't have any pass4symmKey entry in this stanza.

Maybe you have it defined elsewhere. Or maybe nowhere.

Check output of

$SPLUNK_HOME/bin/splunk btool server list shclustering --debug

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The message should be more or less self-explanatory. Your server.conf contains [shclustering] stanza. It contains a shared secred (said pass4symmkey) which is used for comunication between cluster nodes.

This entry is normally encrypted at first run using unique server's internal secret. So even though all servers share the same pass4symmkey, its encrypted form is different on each server.

I'm guessing that this server's config was copied from another server and the secret is either not pasted correctly or it's been pasted as an encrypted string from another server. It won't work.

Typically those errors show when someone wants to "join" a server to a shcluster by copying existing configuration. It's not supposed to be done this way. Since shcluster involves more than just instances of splunkd clustering, but also kvstore clustering, it should be done according to this document:

https://docs.splunk.com/Documentation/Splunk/9.0.1/DistSearch/Addaclustermember#Add_the_instance

EDIT: OK, you're getting it when pushing a bundle, so you're doing it from the deployer so the root cause might be different but the interpretation of the error stays - your pass4symmkey entry is simply "broken". Why? That we don't know.

0 Karma

vibh458
New Member

Yes i am getting this error while pushing the application from deployer to search heads, also i have not copied server.conf from any where it was created by splunk itself, now i am stuck here please help me to resolve this issue.

0 Karma

gammaguhen
New Member

Step -1:Check if the pass4SymmKey is available in  [shclustering] stanza,  in the SH server.conf. If it is  not there add the pass4SymmKey = <your password>. Do the same in all SH cluster nodes and restart splunk.

Step-2:Similarly check the master node (where you have a deployment server)server.conf for [shclustering] stanza. If not there add the [shclustering] stanza and pass4SymmKey = <your password>. Restart splunk.

 

 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...