Installation

After upgrading from Splunk 6.1.7 to 6.3.1, why does Splunk report that it is Splunk 4.0?

ben363
Path Finder

I've upgraded Splunk from 6.1.7 to 6.3.1.

Splunk Help->About now says: "Splunk Version 4.0, Splunk Build 000, Current App Search & Reporting, App Version 6.3.1, Server Name N/A".

Why? Does this mean the upgrade didn't work?

Do I have to uninstall and reinstall?

splunk --version says:
"Splunk 6.3.1 (build f3e41e4b37b2)"

This box would probably once have had Splunk 5.0.4 on it, but I don't think it ever had anything earlier than that.

Labels (1)

tywhite
Explorer

We opened up a case for this bug and was told that there is a slated fix in the next release (6.6.4).

0 Karma

tywhite
Explorer

Opened a new case with support as this has reoccurred even after upgrading to 7.0.

0 Karma

nk-1
Path Finder

Upgraded from v6.5.2 to v6.6.2, and I see v4.0 now too:
http://imgur.com/a/zFPAk

0 Karma

lycollicott
Motivator

Our SHC is version 6.6.0, but we are seeing this 4.0 thing now. Once last week, so we did a rolling restart to resolve it. Today it is back.

We are in production, so there must be a better recourse than a fresh install.

bug

tywhite
Explorer

It has happened again today and our SHC is version 6.6.2 now.

Has anyone found a cause and permanent solution to this issue?

A rolling restart will temporarily resolve the issue and we don't have the luxury to do a fresh install.

Something else that I checked this time was the debug info for each of the individual search heads: http://SearchHeadName/en-US/debug/echo?ping=ok

All but one of the search heads were showing UNKNOWN_VERSION listed in the "Server Info" at the bottom of the debug window.

I logged into each one individually as the admin account using their respective URLs (http://SearchHeadName/en-US/account/login?loginType=Splunk) and then reloaded the debug URL, and this time the correct version was displayed in the Server Info.

After I finished logging into each one, I logged back into the URL for the SHC and this time the correct version was shown.

If anyone else has any info on this then please share. Thanks!

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

This doesn't sound right at all. It should list the correct installed version and also show you a valid hostname following "Server Name". If you have the luxury, I would probably do a clean install from scratch.

0 Karma

ben363
Path Finder

And that's exactly what I've done. The worry is that it may happen again on a box where I don't have the same luxury.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @ben363, did the reinstall work out for you permanently? Another user commented on this post today reporting this issue.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...