Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk not starting after upgrade (6.6.1 > 7.0.0).

alvaroveiga
New Member
‎09-28-2017 01:23 PM

Hi, i just updated from 6.6.1 to latest version(7) and now i'am stuck with splunk not starting web interface:

./splunk restart

Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
..................................... [ OK ]
Stopping splunk helpers...
[ OK ]
Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking http port [10.244.161.7:8000]: open
Checking mgmt port [10.244.161.7:8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [10.244.161.7:8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket checkfwd eqalis_network_sample firewall history itau main mwg_audit os ossec perfmon snort_cardholder snort_servidores sos sos_summary_daily summary summary_forwarders summary_hosts summary_indexers summary_pools summary_sources summary_sourcetypes syslog tp_win_sec tp_win_servers windows wineventlog
Done

Bypassing local license checks since this instance is configured with a remote license master.

    Checking filesystem compatibility...  Done
    Checking conf files for problems...
            Improper stanza [dhcpd_server_dhcprelease] in /opt/splunk/etc/apps/unix/default/tags.conf, line 30
            Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunk/splunk-7.0.0-c8a78efdd40f-linux-2.6-x86_64-manifest'
    All installed files intact.
    Done

All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
[ OK ]

Waiting for web server at https://10.244.161.7:8000 to be available............................................................................................................................................................................................................................................................................................................

WARNING: web interface does not seem to be available!

What can be causing it ?

Labels (2)
Labels
0 Karma
Reply

bgagliardi1
Path Finder
‎05-10-2018 02:22 PM

I had the same issue and I had to look at the crash log and found (in hex code) that there was a duplicate HEC (HTTP Event Collector) key in an app. So in summary, I had an app that was a culprit. You can backup all your apps, and either remove all and add 1 at a time and restart splunk, or have them all on there and delete one by 1 and try starting splunk.

This is the process I went through and it is also the recommended approach by Splunk to ensure that all apps work on a splunk (dev) server before upgrading prod.

0 Karma
Reply

bgagliardi1
Path Finder
‎05-10-2018 02:24 PM

I was coming from 6.6.2 to 7.0.3

There were no logs in splunkd or the web logs.

0 Karma
Reply

everagu
Engager
‎09-29-2017 10:30 AM

I have the same message after upgrade, just wait a minute and try start it again. That works for me.

0 Karma
Reply

alvaroveiga
New Member
‎09-29-2017 12:09 PM

Didnt work.

0 Karma
Reply

Sukisen1981
Champion
‎09-28-2017 01:37 PM

Tried - https://10.244.161.7:8001?

0 Karma
Reply

alvaroveiga
New Member
‎09-28-2017 02:03 PM

Doesnt work..

0 Karma
Reply

harsmarvania57
Ultra Champion
‎09-28-2017 08:47 PM

Have you tried to access https://10.244.161.7:8000 ? If it's not working then any error logs in $SPLUNK_HOME/var/log/splunk/web_service.log ?

0 Karma
Reply

alvaroveiga
New Member
‎09-29-2017 10:17 AM

Not working, here is the logs:
https://pastebin.com/3Z5pmzCs

Could you please help me understanding it?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...