browse
Overview
Some customers may experience the following error after configuring the Cisco Umbrella Add-On for Splunk or Cisco Cloud Security App for Splunk. End result no log data is ingested into Splunk. Debug logs in either the Add-On or the App will show the following errors:
HTTPError(response) splunklib.binding.HTTPError: HTTP 500 Internal Server Error -- Failed to create collection: resource already exists
Cause
This error will occur if you've setup the Add-On or App previously, deleted it and tried to add it again.
When the app is uninstalled, splunkd normally triggers a reload function syncing the latest configuration with collection data in the database and removes the collection if no corresponding config is found - orphaned collection. However, the reload implementation within KVService fails to do so, leaving this orphaned collection in KVService.
When the app is reinstalled, it doesn't find the configuration file, as it was removed in the previous step, but when it tries to create it it fails because the KVService still has the collection present within the app's context. and then you need that
Resolution
To resolve the issue upgrade Splunk server to version 9.1.2312.104. If upgrading is not an option open a support ticket with Splunk support. They have a process to cleanup the orphaned collection.
For more information refer to the following splunk support KB:
https://splunk.my.site.com/customer/s/article/Failed-to-create-collection