All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SoS-TA clustered search peer deploy - incorrect scripted input path error

NGRhodes
Explorer
‎01-08-2015 03:37 AM

I deployed the SoS-TA package by placing it in on our custer master in /opt/splunk/etc/master-apps directory and deploying from the Web UI.

I noticed the following error after enabling the inputs:

01-08-2015 11:19:08.762 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh" /bin/sh: 1: /opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh: not found

The fix
Simply clone the 3 scripted inputs from SoS-TA and recreate the correct path eg:

 /opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh

Becomes:

 /opt/splunk/etc/slave-apps/TA-sos/bin/ps_sos.sh

Have I deployed this incorrectly or is it a bug in the the package deployment mechanism ?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎01-08-2015 03:47 PM

This is pretty strange and very unexpected as the S.o.S technology add-on has been specifically validated to work in an indexer cluster environment, deployed from the cluster master just as you described.

Do you maybe have a pre-existing copy of "TA-sos" under $SPLUNK_HOME/etc/apps on the cluster peers? If so, you should remove that version and allow the one under $SPLUNK_HOME/etc/slave-apps to be the only copy of this TA present on the cluster peers.

Don't forget to enable the scripted inputs in $SPLUNK_HOME/etc/master-apps/local/inputs.conf on the Cluster Master before pushing out the TA!

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎01-08-2015 03:47 PM

This is pretty strange and very unexpected as the S.o.S technology add-on has been specifically validated to work in an indexer cluster environment, deployed from the cluster master just as you described.

Do you maybe have a pre-existing copy of "TA-sos" under $SPLUNK_HOME/etc/apps on the cluster peers? If so, you should remove that version and allow the one under $SPLUNK_HOME/etc/slave-apps to be the only copy of this TA present on the cluster peers.

Don't forget to enable the scripted inputs in $SPLUNK_HOME/etc/master-apps/local/inputs.conf on the Cluster Master before pushing out the TA!

Reply
Solved! Jump to solution

NGRhodes
Explorer
‎01-12-2015 02:01 AM

I did originally copy to the wrong location, looks like there were some leftovers that splunk was picking up 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...