I have installed Splunk App for Windows Infrastructure, but when I run setup I am getting this error message:
OK: Splunk v6.3.3 detected
Key value store must be enabled. Please enable it. Learn more.
From which server it is throwing this error message? There are few Windows servers. How do I fix it ?
I ran into this on Linux, and it was because the server wasn't configured to be a slave to an Splunk Enterprise license master. Added the following stanza to server.conf
master_uri: = https://license-server:8089
After restarting Splunk, KVStore is up and running again. A couple other side-effects is that the "Map groups" action disappears under LDAP Settings (presumably, the mapping uses kv store / mongodb to store the role -> group mappings).
Another option would be to install an Enterprise license locally on the server, but since this is a search head only, that doesn't make a lot of sense.
Thank you very much. Do I need to go on all the Windows Servers and need to change the permission?
Only those that present the kvstore error.
There are several previous Answers postings that talk about how to troubleshoot this issue. It could be a permissions and/or cert issue. See https://answers.splunk.com/answers/338872/splunk-app-for-windows-infrastructure-how-to-troub.html for one discussion, and links to others.
I downvoted this post because 404 on the link
@nwieseler: I just checked the link and it worked for me. Can you try again in an incognito tab?
Just tried on mobile and nothing? Not a big deal.
Got it, the post is restored now and you should be able to see it.
And now I can't cancel my vote after one day... Sorry man.
The host that it is reporting it, is probably the one were you are trying to install Windows Infrastructure app. This apps needs kvstore to work properly if I'm not mistaken.
First, just to be sure wich host is reporting that error:
index=_internal (sourcetype=mongod OR sourcetype=splunkd) log_level!=INFO KV store
This could probably a permission issues, so do this.
mongofolder to the accound that is running Splunk.
Hope it helps.