/opt/splunkforwarder/bin/splunk set deploy-poll :8089įor which I have attached the screenshot of puppet code./opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 0./opt/splunkforwarder/bin/splunk start -accept-license.I can also mention that all parts of this environment is running on Windows. The Heavy Forwarders are also configured with parallelIngestionPipelines2. I am trying to automate splunk forwarder installation using puppet which includes below steps The heavy forwarders are there to do some filtering, and also routing of specific data to other Splunk environments. Splunk Universal Forwarder 9.0.0 (build 6818ac46f2ec) Validating installed files against hashes from '/opt/splunk/splunkforwarder/splunkforwarder-6.5.2-67571ef4b87d-AIX-powerpc-manifest'Īnd then mysteriously the process stops running, I have this issue on 6.5.2 so hopefully it helps someone else who has needs to restart the forwarder & does not want to put a username/password into their scripts to use the REST API can use this trick.Īlternative suggestions are also welcome, and other answers in this same thread may suit your situation (such as the REST API).I am getting a timedout error while executing /opt/splunkforwarder/bin/splunk restart command using puppet exec class splunkforwarder::config(įile /.splunk.restarted", If you use a heavy forwarder thats performing other tasks, you may run into performance issues. I found the above works, however if I do not have > /tmp/test.txt (or /dev/null) or I do not have the 2>&1 the forwarder only gets to this point: Splunk> The Notorious B.I.G. Follow these steps to configure an existing heavy forwarder as a DCN. In other words: /opt/splunkforwarder/bin/splunk restart > /tmp/test.txt 2>&1 without su user: please run 'splunk ftr' as boot-start user. This command can only be run by bootstart user. When I try to restart I get the following message: As Su user: Failed to run splunk as SPLUNKOSUSER. Manual runs of the script while logged in were not an issue so it was something related to this.Īfter quite a bit of investigation & testing we found that Splunk would not start if the standard and error output of the process was not sent somewhere.Įventually we found appending a > /tmp/file.txt and a 2>&1 to the restart command resolved the issue, sending the data to /dev/null appears to work the same. Hello the issue I am having is with the following command. opt/splunkforwarder/bin/splunk restart command worked fine from the CLI (if the splunk user was logged in), however if we had a splunk application executing a script (in our case one that updated the nf) and the mentioned script attempted to restart Splunk it would result in the Splunk forwarder stopping and not starting again. I am unsure why, but the above works consistently, it does not matter if the output goes to /dev/null or to a file, more details below. The only version that worked was: /opt/splunkforwarder/bin/splunk restart > /dev/null 2>&1 opt/splunkforwarder/bin/splunk restart 2>&1 opt/splunkforwarder/bin/splunk restart > /tmp/test.txt The following also failed, even after getting the process to run post-shutdown of the forwarder: /opt/splunkforwarder/bin/splunk restart By default, events that are sent from Forwarder App to Feed Service are not registered in the indexes. Configuring Forwarder App to send events to indexes. a bin/script.sh that is within an app deployed to the splunk forwarder) left the forwarder in a shutdown state. If required, ScannersCount settings in Kaspersky CyberTrace may be changed depending on the Splunk architecture. In /var/svc/log/application-splunk-forwarder:default. The TL DR version of this is in Splunk 6.5.2 on AIX (and we also had what appeared to be the same issue on Linux): /opt/splunkforwarder/bin/splunk restartĬalled from a script run by the splunkforwarder (eg. STATE STIME FMRI online 11:45:27 svc:/application/splunk/forwarder:default Recently I noticed this SMF service has had quite some restarts, which I believe no user or cronjob action is responsible for.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |