Hi all, have been working with 4.2.2 and now 4.6.0 release and there are numerous other discrepancies in the wrapper's that are shipped with the add-on. In splencore.sh, missing cases that are still present in the default inputs.conf . I have restored two additional cases to support the clean and status functions on line 197 (in 4.6.0 of splencore.sh); clean)
clean
;;
status)
status
;; You can optionally add additional text to describe the available functions in the echo block at the bottom. Both these should output to sourcetype IN (cisco:estreamer:status cisco:estreamer:clean) The clean() function has no output. Appending a -print will log what you're actually deleting under the sourcetype cisco:estreamer:clean find /var/log/my/custom/path -type f -mmin +720 -delete -print The 4.6.0 stop() function does not work properly. Line 141 appears to have been added in 4.6.0 but is commented out. Allegedly this was fixed in the 4.6.0 release. 4.2.2 has a much more robust code block. I have replaced the 4.6.0 code block with the 4.2.2 code, which works assuming the estreamer service is actually responsive to kill -s INT. Using /local/inputs.conf to specify a custom log path and custom index, we have the following full configuration which enables all the scripts, and monitors the correct custom path for log data (more a Splunk conf than Cisco). [script://./bin/splencore.sh clean]
disabled = 0
index = myindex
[script://./bin/splencore.sh status]
disabled = 0
index = myindex
[script://./bin/splencore.sh start]
disabled = 0
index = myindex
[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore/data]
disabled = 0
index = myindex
[monitor:///var/log/my/custom/path/encore.log*]
disabled = 0
index = myindex
source = encore
sourcetype = cisco:estreamer:data
crcSalt = <SOURCE> Lastly, on deployment when configuring the pkcs12 keys, we required an additional export to get the rather than the documented 2. We were receiving the error: WARNING: can't open config file: /opt/splunk-home/openssl/openssl.conf This path obviously doesnt exist (specifically /opt/splunk-home), and we were unable to determine where it was set. Assuming a default install, the following fixed the issue: export SPLUNK_HOME=/opt/splunk
export LD_LIBRARY_PATH=$SPLUNK_HOME/lib
export OPENSSL_CONF=/opt/splunk/openssl/openssl.cnf IMvHO, this TA out of the box is not production ready without these changes, and the code over the last 3 months has degraded to the point of being non-functional. To this effect, I encourage you to reach out to the Cisco Splunk development team. I have had positive response from: fp-4-splunk@cisco.com and encore-community@cisco.com. Thank you to @gurlest for all the commentary thus far.
... View more