Pivotal Cloud Foundry Support

 View Only

 Splunk Firehose Nozzle corrupt token issues

Matthew Cruley's profile image
Matthew Cruley posted Jan 16, 2019 10:05 PM

I am facing an issue where the Splunk Token, generated by the Splunk HEC, become corrupt and logs stop being fed to Splunk. I have to reapply the token via the environment variable within the firehose nozzle application and once the token has been reapplied I then re-stage the application and logs appear as expected. Any idea on what may be causing the token to become corrupt?

Daniel Mikusa's profile image
Daniel Mikusa

The Pivotal Support team does not cover the Splunk Firehose Nozzle. It's not something we ship with PCF, so we don't encounter it much. You're probably better off reaching out to the author of the Splunk Firehose Nozzle. If it's a Github project, I'd suggest opening an issue under the project.

Matthew Cruley's profile image
Matthew Cruley

Thanks for the quick reply @Daniel Mikusa - Tanzu Support​ . I will see what I can find out on Github.

Matthew Cruley's profile image
Matthew Cruley

@Daniel Mikusa - Tanzu Support​  Is it okay if we keep this ticket open? As we troubleshoot this issue we may have some questions along the way that we might need some help on. One thing that comes to mind is that we are seeing "system_services" user updates on the cf event/apps manager events. When we see this occur we may want some help in getting a better understanding of what this is and if it is what is causing a change that may be corrupting the token.

Daniel Mikusa's profile image
Daniel Mikusa

@Matthew Cruley​ - Sorry, this can be a little confusing. The UI is not great and it's something we're working to approve. This isn't a ticket, it's a post on our community forums. If you have more questions, feel free to make a new post here or you can open up a ticket. Instructions for opening a ticket can be found here.

 

https://community.pivotal.io/s/question/0D50e00005CMGY6CAP/howto-open-a-case