Splunk failed to start after upgrade to 4.3 on Red...

djfisher · ‎01-10-2012

I am running Redhat Enterprise 5.5 on my systems. I currently upgraded to 4.2.5 with no problem. Today I tried to update a server with the Splunk 4.3. I also updated the *Nix app (4.5) on this server at the same time. When I go to start splunk I get this error after site checks and during the config checks. From reading so far, it could be a python error of some sort?

Error:
ImportError: No module named site

**Update
I noticed this error on the attempt to upgrade 4.2.5 to 4.3:
error: unpacking of archive failed on file /opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/locale/zh_CH/LC_MESSAGES/messages.po;4f0efb70: cpio: read

wouterdutoit · ‎01-17-2012

It looks like there is an integrity problem with previous RPM file "splunkforwarder-4.3-115073-linux-2.6-x86_64.rpm" I downloaded on the 11th of January 2011

Trying to extract the file using rpm2cpio indicates the file was truncated:
rpm2cpio splunkforwarder-4.3-115073-linux-2.6-x86_64.rpm |cpio -idmv
./opt/splunkforwarder/README-splunk.txt
./opt/splunkforwarder/bin
./opt/splunkforwarder/bin/bloom
./opt/splunkforwarder/bin/btool
./opt/splunkforwarder/bin/btprobe
./opt/splunkforwarder/bin/bzip2
./opt/splunkforwarder/bin/locktool
./opt/splunkforwarder/bin/openssl
cpio: premature end of file

I redownloaded the file from Splunk and compared md5sums, and it showed that the previous version I downloaded was corrupt. The newly downloaded file extracted correctly.

Splunk failed to start after upgrade to 4.3 on Redhat linux

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?