Splunk on SUSE with Firefox 3, forever loading…

Abi Rendon — Mon, 13 Oct 2008 23:06:11 +0000

If you’re using SLES or any other Suse variant you might be wondering why your Splunk installation is constantly in a loading loop unless you browse to it using Internet Explorer. After lots of hacking around, reboots and google searches I emailed the splunk team about my problem. At first they didn’t seem to understand my problem but they did suggest I take a look at this article in their troubleshooting documentation.

http://www.splunk.com/doc/latest/admin/UnableToGetAProperlyFormattedResponseFromTheServer

It appears that there’s some kind of mime type issue where either the input/output is munged because SUSE incorrectly identifies it. It results in a “loading dashboard…” showing up for a long time and after that.

Your search is still running after 1 minute. Unless you have set a high maxresults:: value, check if the Splunk Server is up and responding

The fix is actually quite easy, I’ll just repost it here just in case the link I provided becomes bad later.

Unable to get a properly formatted response from the server

Users running Splunk on a SuSE 10.x server may receive the error message Unable to get a properly formatted response from the server; canceling the current search when executing any kind of search.

In order to resolve this issue edit /etc/mime.types. Delete (or comment out) these 2 lines:

text/x-xsl xsl
text/x-xslt xslt xsl

Also change this line:

text/xml xml

to:

text/xml xml xsl

With these changes in place, restart Splunk and clear your browser cache.

Make sure to clear your cache, it’s actually quite easy! Just go to your firefox preferences underneath the “privacy” tag, there is a “clear now…” button.

My Job, Syslog, and Splunk

Abi Rendon — Mon, 29 Sep 2008 09:19:33 +0000

I have been working as the Senior Systems Engineer in the operations group at a company called Airbiquity for the past year or so.

As part of my daily job I come into contact with many new and interesting products and things that help me do my job better.

Firstly, how often do you find that you need to constantly debug several machines at one? Tailing syslogs on each box can become a nightmare when you have more than one machine to look at. Consider these options…

Configure your systems with syslog-ng to forward to a centralized syslog server where you can “tail -f” your problems easily.
Buy expensive products such as SolarWinds syslog and snmp trap collector.
Use a free (500mb/day) syslog collector and search utility called Splunk

After messing with the SolarWinds products for a while I decided to move against it towards open source and free/cheaper options.

At Airbiquity I configured all of our servers and network equipment to send their syslog requests to a centralized syslog server. This was great for work debugging but I had trouble letting my boss have an easy utility that they could search with.

This is when I setup Splunk, it’s easy to install and while it can be load intensive it was a lot more intuitive and easy to use than the SolarWinds offering. So far it’s been great and we’re going to start looking into AD integration and clustering to support our multiple data centers.

Installing Splunk is as easy as pie, just download the RPM, they even provide a wget url.

Once you’ve downloaded just install using your flavor’s package system. They even provide a source version which you can install on any Linux distro, as well as an executable Windows version.

Redhat, SLES, etc.

rpm -ivh .rpm

Ubuntu, Debian etc.

dpkg -i .deb

Everything Else

tar -xzvf .tgz; cd ;./install.sh

Once you’ve installed splunk you can enable auto start like so…

/opt/splunk/bin/splunk enable boot-start

Pretty easy and you just run your new splunk init script to start it, you’ll then be able to connect to it using your servers url on port 8000.

http://:8000

Abi Rendon - Sysadmin » syslog

Splunk on SUSE with Firefox 3, forever loading…

My Job, Syslog, and Splunk