Deployment Architecture

KVStore does not start when running Splunk 9.4

MaverickT
Communicator

I am posting this to maybe save you from few hours of troubleshooting like I did.

I did clean install of Splunk 9.4 in small customer environment with virtualized AIO instance. After the installation there was an error notifying that KV Store can not start and that mongo log should be checked.

The following error was logged:

 

ERROR KVStoreConfigurationProvider [4755 KVStoreConfigurationThread] - Could not start mongo instance. Initialization failed.

 

 
Mongod.log was completely empty.  So there was no clues in the log files about what is wrong and what can I do to make KVStore operational.

Time to start Googling. Solution will be posted in the next post.

Labels (1)
0 Karma
1 Solution

MaverickT
Communicator

I did some reading of the documentation and realized that underlying Mongo DB was upgraded to 7. I figured out that Mongo DB 5+ requires AVX instruction set

So time to check if CPU supports AVX instruction set - in my case the CPU model did support this instructions. But running the lscpu command didnt show AVX flags. It turned out that AVX instructions were not available, because the VM had Processor compatibility mode enabled. In hyper-v we had to remove "Allow migration to a virtual machine host with a different processor version" checkbox.  After VM was restarted, AVX appeared in CPU flags and Splunk KV Store was operational.

Screenshot 2025-01-08 at 22.23.30.png

Lession learned: before upgrading  to 9.4 (or making fresh install), check if AVX flag is available. If it isn't, it is about time to upgrade your hardware 😁 and in stick to Splunk 9.3.

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Have you checked from mongodb.log why this is not starting? There is one another case where Windows OS was not supported by Splunk 9.4.0 version. https://community.splunk.com/t5/Splunk-Enterprise/KVstore-unable-to-start-after-upgrade-to-Splunk-En...

0 Karma

MaverickT
Communicator

I did some reading of the documentation and realized that underlying Mongo DB was upgraded to 7. I figured out that Mongo DB 5+ requires AVX instruction set

So time to check if CPU supports AVX instruction set - in my case the CPU model did support this instructions. But running the lscpu command didnt show AVX flags. It turned out that AVX instructions were not available, because the VM had Processor compatibility mode enabled. In hyper-v we had to remove "Allow migration to a virtual machine host with a different processor version" checkbox.  After VM was restarted, AVX appeared in CPU flags and Splunk KV Store was operational.

Screenshot 2025-01-08 at 22.23.30.png

Lession learned: before upgrading  to 9.4 (or making fresh install), check if AVX flag is available. If it isn't, it is about time to upgrade your hardware 😁 and in stick to Splunk 9.3.

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...