Deployment Architecture

Why am I unable to apply search head cluster bundle?

martaBenedetti
Path Finder

Hi community,

I've just performed an upgrade on my infrastructure (distributed environment) from Splunk 8.2.3 to Splunk 9.0.3.

All the instances seem to work fine, I have problems though in applying search head cluster bundle.

I use this command to upgrade Splunk Enterprise Security:

 

$SPLUNK_HOME/bin/splunk apply shcluster-bundle -preserve-lookups true -target https://instance1:8089

 

 

But it doesn't work and I receive this message:

 

Error while deploying apps to first member, aborting apps deployment to all members: Error while updating app=SplunkEnterpriseSecuritySuite on target=https://instance1:8089: Error in JSON response: Unexpected EOF

 

 

Do you have any idea of what could be the problem?

 

Thank you

Marta

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @martaBenedetti,

I encountered a similar problem (not on ES) caused by too few disk space on the Deployer.

But anyway, immediately open a case to Splunk Support.

Ciao.

Giuseppe

 

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @martaBenedetti,

I encountered a similar problem (not on ES) caused by too few disk space on the Deployer.

But anyway, immediately open a case to Splunk Support.

Ciao.

Giuseppe

 

kvm
Explorer

Hi @gcusello 

What was the root cause & solution? and which Splunk version were you using?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kvm,

it's always better to open a new question instead append it to an existing one, event if with the same topic because because less people should answer to your question.

Anyway, the root cause were two:

  • not enough disk space on the Deployer,
  • there were many large lookups.

So when the Deployer prepared the bundle to deploy it didn't have enough space.

You can solte this problem in three ways:

Ciao.

Giuseppe

skrivis
Engager

I found that I was getting that same error about "Unexpected EOF," but there was plenty of disk space on the deployer and all cluster members.

I finally tried restarting splunk on all of the SH cluster members and after that I was able to successfully push the bundle.

computermathguy
Explorer

We got the same error for all the members of the cluster.  When it occurred, we had to restart Splunk on each member. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @skrivis,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...