How to fix aggregration issue for sourcetype

AL3Z · ‎12-06-2023

Hi,

I have seen a aggregration issue for one of my source type cisco, how can I fix this issue in my splunk cloud ?

12-06-2023 17:42:27.004 +0000 ERROR AggregatorMiningProcessor [82698 merging_0] - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "/opt/splunk/etc/peer-apps/Splunk_TA_cisco-ise/default/datetime_udp.xml": No such file or directory - data_source="/syslog/nac/ise.log", data_host="ise-xx", data_sourcetype="cisco:ise:syslog"

Thanks...

richgalloway · ‎12-06-2023

The datetime_udp.xml file doesn't exist on the indexer(s). Double-check the add-on. Consider re-installing it. If it's still a problem, contact Splunk Cloud support or the add-on vendor.

---
If this reply helps you, Karma would be appreciated.

AL3Z · ‎01-23-2024

@richgalloway

Hi,

From below mentioned post they fixed this by creating a local/props.conf
https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-ISE-TA-fails-when-distributed-via-Cluste...

props.conf

[cisco:ise]
DATETIME_CONFIG = /etc/slave-apps/Splunk_TA_cisco-ise/default/datetime_udp.xml

[cisco:ise:syslog]
DATETIME_CONFIG = /etc/slave-apps/Splunk_TA_cisco-ise/default/datetime_udp.xml

How we can create this in the splunk cloud is it possible from all configurations ??

Thanks in advance.

richgalloway · ‎01-23-2024

Add the props.conf file to an app and upload the app to Splunk Cloud.

---
If this reply helps you, Karma would be appreciated.

How to fix aggregration issue for sourcetype

indexing performance

monitoring console

search head

splunk-assist

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?