Deployment Architecture

splunk crash on 6.2.3 upgrade: Assertion `_trans->_connp == this' failed.

rphillips_splk
Splunk Employee
Splunk Employee

Problem:
Upgrading a search head from 6.1.3 to 6.2.3 resulted in a crash with this message:

HttpClientRequest.cpp:1887: virtual void HttpClientConnection::errorHappened(const SocketError&): Assertion `_trans->_connp == this' failed.

This SH was not part of a cluster or pooling

migrating
from: splunk-6.1.3-220630-linux-2.6-x86_64
to: splunk-6.2.3-264376-Linux-x86_64

Impact: Search head down until workaround implemented

Tags (3)
0 Karma
1 Solution

rphillips_splk
Splunk Employee
Splunk Employee

currently there is a known bug SPL-102399 outstanding

workaround:
1. stop splunk
$SPLUNK_HOME/bin
./splunk stop

2.disable distsearch:
$SPLUNK_HOME/etc/system/local/distsearch.conf
[distributedSearch]
disabled = true

3.if the ftr file does not exist in $SPLUNK_HOME/ create ftr file

example:
/opt/splunk/
touch ftr
the presence of this file will cause splunk to run through the first time run steps. The file should still be there if splunk crashed before the setup was complete as in this scenario

4.start splunk
$SPLUNK_HOME/bin
./splunk start

5.enable distsearch

$SPLUNK_HOME/etc/system/local/distsearch.conf
[distributedSearch]
disabled = false

6.restart splunk
$SPLUNK_HOME/bin
./splunk restart

View solution in original post

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

also reports of customers hitting this issue while trying to upgrade from 6.2.2 to 6.2.3

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

currently there is a known bug SPL-102399 outstanding

workaround:
1. stop splunk
$SPLUNK_HOME/bin
./splunk stop

2.disable distsearch:
$SPLUNK_HOME/etc/system/local/distsearch.conf
[distributedSearch]
disabled = true

3.if the ftr file does not exist in $SPLUNK_HOME/ create ftr file

example:
/opt/splunk/
touch ftr
the presence of this file will cause splunk to run through the first time run steps. The file should still be there if splunk crashed before the setup was complete as in this scenario

4.start splunk
$SPLUNK_HOME/bin
./splunk start

5.enable distsearch

$SPLUNK_HOME/etc/system/local/distsearch.conf
[distributedSearch]
disabled = false

6.restart splunk
$SPLUNK_HOME/bin
./splunk restart

0 Karma

dmuth_cc
Engager

FYI, this fix also works for a 6.2.1 to 6.2.4 upgrade.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...