Installation

Getting "Invalid Site Id" error after Splunk upgrade from 5.0.2 to 6.1.1.

toddbruner
Explorer

Just upgraded a search head to 6.1.1 from 5.0.2. (Indexers on separate system and is at 6.1.1).
One of my users is reporting the following errors using the REST API:

[ovm5] Search results may be incomplete, peer ms28.foo.com's
search ended prematurely. Error = Invalid site id:
[ovm6] Search results may be incomplete, peer ms28.foo.com's
search ended prematurely. Error = Invalid site id:

The same search was working prior to the upgrade. Does anyone know what is causing this and, if so, any pointers to a solution would be appreciated.

TB

Labels (3)
0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

Hey TB,

Your SH and indexers should be on the same version, else you will get this error. I had the same message, but when I upgraded them all to the same version, things went smoothly.

I was told by Splunk ENG that minor subversions are ok i.e. 6.0.1 --> 6.0.3 but not minor versions i.e. 6.0 --> 6.1

Good luck!

Kyle

0 Karma

ppablo
Retired

Hi @khourihan_splunk

I think @toddbruner's SH and indexer are currently the same version?

"Just upgraded a search head to 6.1.1 from 5.0.2. (Indexers on separate system and is at 6.1.1)"

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...