Re: Invalid Site Id error after splunk 6 upgrade

toddbruner · ‎06-27-2014

Just upgraded a search head to 6.1.1 from 5.0.2. (Indexers on separate system and is at 6.1.1).
One of my users is reporting the following errors using the REST API:

[ovm5] Search results may be incomplete, peer ms28.foo.com's
search ended prematurely. Error = Invalid site id:
[ovm6] Search results may be incomplete, peer ms28.foo.com's
search ended prematurely. Error = Invalid site id:

The same search was working prior to the upgrade. Does anyone know what is causing this and, if so, any pointers to a solution would be appreciated.

TB

khourihan_splun · ‎07-23-2014

Hey TB,

Your SH and indexers should be on the same version, else you will get this error. I had the same message, but when I upgraded them all to the same version, things went smoothly.

I was told by Splunk ENG that minor subversions are ok i.e. 6.0.1 --> 6.0.3 but not minor versions i.e. 6.0 --> 6.1

Good luck!

Kyle

ppablo · ‎07-25-2014

Hi @khourihan_splunk

I think @toddbruner's SH and indexer are currently the same version?

"Just upgraded a search head to 6.1.1 from 5.0.2. (Indexers on separate system and is at 6.1.1)"

Getting "Invalid Site Id" error after Splunk upgrade from 5.0.2 to 6.1.1.

indexer

search head

upgrade

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?