Splunk with Evident.io App cannot start after upgrade

Splunk with Evident.io App cannot start after upgrade

0
Created On 09/26/18 13:44 PM - Last Modified 07/19/22 23:07 PM


Symptom


Symptoms

  1. Splunk is configured for Evident Monitoring Integration.   
  2. Splunk environment is installed with "Evident.io App for Splunk"
  3. Splunk was upgraded (e.g. from 6 to 7)

Diagnosis

Login to Splunk server and run the following command within Splunk's directory:

 

grep -i "token" -R splunk_app_evidentio/* | grep inputs.conf

This should generate an input similar to:

 

splunk_app_evidentio/local/inputs.conf:token = 11111111-1111-1111-11111111-111111111111

splunk_app_evidentio/local/inputs.conf:token = 22222222-2222-2222-22222222-222222222222

splunk_app_evidentio/local/inputs.conf:token = 22222222-2222-2222-22222222-222222222222

 

Check if there are two tokens with the same value like the above.

Resolution


Delete the duplicate token entry.  If Splunk still cannot start, then delete the entire Splunk Evident.io App.  You can reinstall the application once Splunk is able to start up.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm3CAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail