Splunk Operator:

Question

Splunk Operator:

tnycum opened this issue a year ago · 2 comments

tnycum commented a year ago

Please select the type of request

Bug

Tell us more

Please select the type of request

Bug

Tell us more

Describe the request

Can't push latest Enterprise Security app to search heads due to scientific python exceeding the default content length.

Sample error message:

2023-09-08T23:42:10.422670559Z	ERROR	isBundlePushComplete	SHC Bundle push status file reported an error while applying bundle	{"controller": "searchheadcluster", "controllerGroup": "enterprise.splunk.com", "controllerKind": "SearchHeadCluster", "SearchHeadCluster": {"name":"sh","namespace":"splunk"}, "namespace": "splunk", "name": "sh", "reconcileID": "d1477562-eab7-49dd-b466-d07a717b0ced", "crName": "sh", "namespace": "splunk", "error": "there was an error in applying SHC Bundle, err=\"Error while deploying apps to first member, aborting apps deployment to all members: Error while updating app=Splunk_SA_Scientific_Python_linux_x86_64 on target=https://1.2.3.4:8089/: Non-200/201 status_code=413; {\"messages\":[{\"type\":\"ERROR\",\"text\":\"Content-Length of 2147500484 too large (maximum is 2147483648)\"}]}\n\""}
github.com/splunk/splunk-operator/pkg/splunk/enterprise.(*SHCPlaybookContext).isBundlePushComplete
	/workspace/pkg/splunk/enterprise/afwscheduler.go:1631
github.com/splunk/splunk-operator/pkg/splunk/enterprise.(*SHCPlaybookContext).runPlaybook
	/workspace/pkg/splunk/enterprise/afwscheduler.go:1770
github.com/splunk/splunk-operator/pkg/splunk/enterprise.(*PipelinePhase).installWorkerHandler
	/workspace/pkg/splunk/enterprise/afwscheduler.go:1233

As a workaround we have to modify this setting within server.conf on the search heads:

[httpServer]
max_content_length = 4294967296

YAML snippet used for helm values:

searchHeadCluster:
  defaults:
    splunk:
      conf:
      - key: server
        value:
          directory: /opt/splunk/etc/system/local
          content:
            httpServer:
              max_content_length: 4294967296

Expected behavior

The apps should be pushed to the search head cluster without errors

Splunk setup on K8S

Distributed Clustered Deployment + SHC with Multi-Site, deployed with Helm

Reproduction/Testing steps

Attempt to deploy latest Enterprise Security app to search heads

K8s environment

Running on AWS EKS

Proposed changes(optional)

Proposed change, if any.

K8s collector data(optional)

n/a

Additional context(optional)

n/a

vivekr-splunk commented a year ago

CSPL-2458

Answer 1 · 2023-09-11T14:59:14.000Z

@tnycum we will look into this issue and update you soon.