Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

KVStore does not start when running Splunk 9.4

MaverickT
Communicator
‎01-08-2025 01:43 PM

I am posting this to maybe save you from few hours of troubleshooting like I did.

I did clean install of Splunk 9.4 in small customer environment with virtualized AIO instance. After the installation there was an error notifying that KV Store can not start and that mongo log should be checked.

The following error was logged:

 

ERROR KVStoreConfigurationProvider [4755 KVStoreConfigurationThread] - Could not start mongo instance. Initialization failed.

 

 
Mongod.log was completely empty.  So there was no clues in the log files about what is wrong and what can I do to make KVStore operational.

Time to start Googling. Solution will be posted in the next post.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MaverickT
Communicator
‎01-08-2025 01:54 PM

I did some reading of the documentation and realized that underlying Mongo DB was upgraded to 7. I figured out that Mongo DB 5+ requires AVX instruction set

So time to check if CPU supports AVX instruction set - in my case the CPU model did support this instructions. But running the lscpu command didnt show AVX flags. It turned out that AVX instructions were not available, because the VM had Processor compatibility mode enabled. In hyper-v we had to remove "Allow migration to a virtual machine host with a different processor version" checkbox.  After VM was restarted, AVX appeared in CPU flags and Splunk KV Store was operational.

Screenshot 2025-01-08 at 22.23.30.png

Lession learned: before upgrading  to 9.4 (or making fresh install), check if AVX flag is available. If it isn't, it is about time to upgrade your hardware 😁 and in stick to Splunk 9.3.

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-08-2025 01:54 PM

Have you checked from mongodb.log why this is not starting? There is one another case where Windows OS was not supported by Splunk 9.4.0 version. https://community.splunk.com/t5/Splunk-Enterprise/KVstore-unable-to-start-after-upgrade-to-Splunk-En...

0 Karma
Reply
Solved! Jump to solution
Solution

MaverickT
Communicator
‎01-08-2025 01:54 PM

I did some reading of the documentation and realized that underlying Mongo DB was upgraded to 7. I figured out that Mongo DB 5+ requires AVX instruction set

So time to check if CPU supports AVX instruction set - in my case the CPU model did support this instructions. But running the lscpu command didnt show AVX flags. It turned out that AVX instructions were not available, because the VM had Processor compatibility mode enabled. In hyper-v we had to remove "Allow migration to a virtual machine host with a different processor version" checkbox.  After VM was restarted, AVX appeared in CPU flags and Splunk KV Store was operational.

Screenshot 2025-01-08 at 22.23.30.png

Lession learned: before upgrading  to 9.4 (or making fresh install), check if AVX flag is available. If it isn't, it is about time to upgrade your hardware 😁 and in stick to Splunk 9.3.

Reply
Solved! Jump to solution

kundeng
Path Finder
‎07-27-2025 05:31 PM

This breaks Splunk running in Rosetta on ARM based M1,M2,M3,M4 mac computers.  

Previously Splunk can be run smoothly in Rosetta emulated Linux VM on new macs.  

0 Karma
Reply
Solved! Jump to solution

mwk1000
Path Finder
‎05-12-2025 11:31 AM

I also hit an upgrade bug with 9.4.1 on a clients indexers , the upgrade migration mongo 4-7 failed to run due to the scripts not using SPLUNK_DB but hardcoding /opt/splunk/var/lib.... The indexers had a separate filesystem /data01/,,,, I was able to create a link from the mongo under /opt/splunk/var/lib/splunk/kvstore... to the "real" one in /data01 and restart triggering the upgrade process to complete properly ....

0 Karma
Reply
Solved! Jump to solution

trashyroadz
Splunk Employee
Splunk Employee
6m ago

I realize this response comes in a bit late in the game for most on this thread, but hopefully it will be useful to someone. 

KV Store is not used on indexers. In fact, it can be disabled on any Splunk Enterprise instance that is not running as a search head (see caveats below). This means includes Indexers, Deployment Servers, Cluster Managers, License Managers and Search Head Cluster Deployers, Heavy Forwarders (see exceptions below).

Instances that SHOULD run KV Store include:

  • Search Heads
  • Monitoring Console (if you want access to its KV Store dashboards-- see caveats below)
  • Heavy Forwarders, if used as search heads or are running DB Connect app (or, not likely but possible, any custom app that specifically relies on the KV Store) 
  • Lastly, any Splunk Enterprise instance in your deployment which requires token-based authentication

CAVEATS:

  • If your Monitoring Console machine also operates another Splunk role such as Deployment Server or License Manager, keep the KV Store running on that instance.
  • As of this writing, the Monitoring Console appears to use the KV Store only for KV Store-specific dashboards. If you don't care about those dashboards and the KV Store is giving you real headaches on that instance, disabling it will cause the dashboards which rely on KV Store to stop working, but all other Monitoring Console dashboards will function as expected.
  • Universal Forwarders are not shipped with the KV Store so nothing to worry about there
-- now that's Trashy!
0 Karma
Reply
Solved! Jump to solution

mwk1000
Path Finder
‎05-12-2025 11:39 AM

So if your indexers have separate storage filesystem for indexes consider pre upgrade creating the links ln -s /mypath-to/mongo /opt/splunk/var/lib/splunk/kvstore/mongo for a headach free kvstore update

 

 

Reply
Solved! Jump to solution

dpollardcouk
Engager
‎07-04-2025 05:23 AM

Which if your indexers are using a different partition for their storage, could be anywhere.    I found that I was missing the link too,    put note that I've put the link in at kvstore level rather than the mongo 

ln -s /splunkdata/kvstore /opt/splunk/var/lib/splunk/kvstore 

 Where /splunkdata/ is my mounted data drive where all my indexes go.

Tags (3)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...