I've installed and configured the Splunk App for CEF 2.0.0 on Splunk Enterprise 6.6.0. I've created a single CEF output and installed the generated cefout add-on to each indexer. It works fine for standalone indexers, but fails on each indexer cluster peer with the error (remote_searches.log):
05-22-2017 10:02:27.446 +0000 ERROR StreamedSearch - sid=remote_ip-{SEARCH HEAD}_rt_scheduler__admin_c3BsdW5rX2FwcF9jZWY__RMD5b4adc662619c6e71_at_1495447345_6, Search Factory: Unknown search command 'cefout'.
I can see the indexers have the command replicated from the search head:
/opt/splunk/var/run/searchpeers/ip-{SEARCH HEAD}-1495445826/apps/splunk_app_cef/bin/cefout.py
I don't understand why they're not using it, given that the non-clustered indexers use the same just fine. What am I missing?
(FYI, I've worked around this problem for now by manually adding the cefout command to the generated cefout bundle. But I want to get to the point where I can use the generated bundle without manual changes, to avoid the chance of user error as administrators make further changes).
Any advice would be greatly appreciated. Thanks.
... View more