Getting Data In

Why splunkd or splunkweb services do not start after upgrade from Splunk 6.1.1 to 6.2 on Windows 2008 64bit??

mldeschenes
Explorer

Running windows 2008 64bit , simply wanted to upgrade as it was prompting me too and got annoying so I did now it's busted :). That's what I get for using free version.

Windows Event error:
Log Name: Application
Source: Application Error
Date: 11/6/2014 2:57:34 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Description:
Faulting application name: splunkd.exe, version: 1538.0.0.40733, time stamp: 0x5448464d
Faulting module name: splunkd.exe, version: 1538.0.0.40733, time stamp: 0x5448464d
Exception code: 0xc0000005
Fault offset: 0x000000000046e213
Faulting process id: 0xcd8
Faulting application start time: 0x01cff9fbe8441f46
Faulting application path: R:\Splunk\bin\splunkd.exe
Faulting module path: R:\Splunk\bin\splunkd.exe
Report Id: 2603b6b2-65ef-11e4-a63b-005056983db8
Event Xml:

<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-11-06T19:57:34.000000000Z" />
<EventRecordID>9372</EventRecordID>
<Channel>Application</Channel>
<Security />


<Data>splunkd.exe</Data>
<Data>1538.0.0.40733</Data>
<Data>5448464d</Data>
<Data>splunkd.exe</Data>
<Data>1538.0.0.40733</Data>
<Data>5448464d</Data>
<Data>c0000005</Data>
<Data>000000000046e213</Data>
<Data>cd8</Data>
<Data>01cff9fbe8441f46</Data>
<Data>R:\Splunk\bin\splunkd.exe</Data>
<Data>R:\Splunk\bin\splunkd.exe</Data>
<Data>2603b6b2-65ef-11e4-a63b-005056983db8</Data>
0 Karma
1 Solution

mldeschenes
Explorer

Managed to upgrade to 6.2.x... for some reason I had to use local systems account during install process did not like using domain account we had assigned.

View solution in original post

0 Karma

mldeschenes
Explorer

Managed to upgrade to 6.2.x... for some reason I had to use local systems account during install process did not like using domain account we had assigned.

View solution in original post

0 Karma

mldeschenes
Explorer

I validated that config.xml file and all I see in the file is 1 line
null null null null.....

0 Karma

mldeschenes
Explorer

Did the required steps, but still no go...
R:\Splunk\bin>splunk restart
Splunkd: Stopped

Splunk> The Notorious B.I.G. D.A.T.A.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking configuration... Error while parsing 'R:\Splunk\etc\modules\int
ernal\scheduler\config.xml':
not well-formed (invalid token): line 1, column 0

There were problems with the configuration files.
Would you like to ignore these errors? [y/n]:

I click Y and tons of errors... (a small clip)
Checking critical directories... Done
[build 237341] 2014-11-10 08:40:31
Access violation, cannot read at address [0x0000000000000010]
Exception address: [0x000000013FB8E213]
Crashing thread: Main Thread
MxCsr: [0x0000000000001FA0]
SegDs: [0x000000000000002B]
SegEs: [0x000000000000002B]
SegFs: [0x0000000000000053]
SegGs: [0x000000000000002B]
SegSs: [0x000000000000002B]
SegCs: [0x0000000000000033]
EFlags: [0x0000000000010202]
Rsp: [0x00000000002DE120]
Rip: [0x000000013FB8E213] ?
Dr0: [0x0000000000000000]
Dr1: [0x0000000000000000]
Dr2: [0x0000000000000000]
Dr3: [0x0000000000000000]
Dr6: [0x0000000000000000]
Dr7: [0x0000000000000000]
Rax: [0x0000000000000000]
Rcx: [0x0000000000000000]
Rdx: [0x00000000002DE208]
Rbx: [0x00000001412AE090]
Rbp: [0x00000000002DEAA0]
Rsi: [0x0000000000000000]
Rdi: [0x0000000000000000]
R8: [0x000007FEF57065A0]
R9: [0x0000000000000000]
R10: [0x0000000000000000]
R11: [0x00000000002DE100]
R12: [0x0000000000000000]
R13: [0x0000000000000002]
R14: [0x00000001412AE090]
R15: [0x0000000000000000]
DebugControl: [0x00000000004448D0]
LastBranchToRip: [0x0000000000000000]
LastBranchFromRip: [0x0000000000000000]
LastExceptionToRip: [0x0000000000000000]
LastExceptionFromRip: [0x0000000000000000]

OS: Windows
Arch: x86-64

Backtrace:
Splunk ran as local administrator /6.1 Service Pack 1
GetLastError(): 0
Executable module base: 0x000000013F720000
argv: [R:\Splunk\bin\splunkd validatedb]

MartinMcNutt
Communicator

The very first thing i would do is re-apply default security.

  1. At the top level folder right click and properties.
  2. Select Security Tab
  3. Click Advanced
  4. Change Permissions
  5. Select both check boxes at bottom
  6. Click OK

Now open a dos prompt and issues a Splunk Restart from R:\Splunk\bin

Important note: Use dos to restart the splunk processes as it will display errors or other warnings you might have missed by using service manager.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.