I have installed Splunk App for Windows Infrastructure, but when I run setup I am getting this error message:
OK: Splunk v6.3.3 detected
Key value store must be enabled. Please enable it. Learn more.
From which server it is throwing this error message? There are few Windows servers. How do I fix it ?
I ran into this on Linux, and it was because the server wasn't configured to be a slave to an Splunk Enterprise license master. Added the following stanza to server.conf
master_uri: = https://license-server:8089
After restarting Splunk, KVStore is up and running again. A couple other side-effects is that the "Map groups" action disappears under LDAP Settings (presumably, the mapping uses kv store / mongodb to store the role -> group mappings).
Another option would be to install an Enterprise license locally on the server, but since this is a search head only, that doesn't make a lot of sense.
There are several previous Answers postings that talk about how to troubleshoot this issue. It could be a permissions and/or cert issue. See https://answers.splunk.com/answers/338872/splunk-app-for-windows-infrastructure-how-to-troub.html for one discussion, and links to others.
The host that it is reporting it, is probably the one were you are trying to install Windows Infrastructure app. This apps needs kvstore to work properly if I'm not mistaken.
First, just to be sure wich host is reporting that error:
index=_internal (sourcetype=mongod OR sourcetype=splunkd) log_level!=INFO KV store
This could probably a permission issues, so do this.
mongofolder to the accound that is running Splunk.
Hope it helps.