Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk not starting after upgrade (6.6.1 > 7.0.0).

alvaroveiga
New Member
‎09-28-2017 01:23 PM

Hi, i just updated from 6.6.1 to latest version(7) and now i'am stuck with splunk not starting web interface:

./splunk restart

Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
..................................... [ OK ]
Stopping splunk helpers...
[ OK ]
Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking http port [10.244.161.7:8000]: open
Checking mgmt port [10.244.161.7:8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [10.244.161.7:8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket checkfwd eqalis_network_sample firewall history itau main mwg_audit os ossec perfmon snort_cardholder snort_servidores sos sos_summary_daily summary summary_forwarders summary_hosts summary_indexers summary_pools summary_sources summary_sourcetypes syslog tp_win_sec tp_win_servers windows wineventlog
Done

Bypassing local license checks since this instance is configured with a remote license master.

    Checking filesystem compatibility...  Done
    Checking conf files for problems...
            Improper stanza [dhcpd_server_dhcprelease] in /opt/splunk/etc/apps/unix/default/tags.conf, line 30
            Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunk/splunk-7.0.0-c8a78efdd40f-linux-2.6-x86_64-manifest'
    All installed files intact.
    Done

All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
[ OK ]

Waiting for web server at https://10.244.161.7:8000 to be available............................................................................................................................................................................................................................................................................................................

WARNING: web interface does not seem to be available!

What can be causing it ?

Labels (2)
Labels
0 Karma
Reply

bgagliardi1
Path Finder
‎05-10-2018 02:22 PM

I had the same issue and I had to look at the crash log and found (in hex code) that there was a duplicate HEC (HTTP Event Collector) key in an app. So in summary, I had an app that was a culprit. You can backup all your apps, and either remove all and add 1 at a time and restart splunk, or have them all on there and delete one by 1 and try starting splunk.

This is the process I went through and it is also the recommended approach by Splunk to ensure that all apps work on a splunk (dev) server before upgrading prod.

0 Karma
Reply

bgagliardi1
Path Finder
‎05-10-2018 02:24 PM

I was coming from 6.6.2 to 7.0.3

There were no logs in splunkd or the web logs.

0 Karma
Reply

everagu
Engager
‎09-29-2017 10:30 AM

I have the same message after upgrade, just wait a minute and try start it again. That works for me.

0 Karma
Reply

alvaroveiga
New Member
‎09-29-2017 12:09 PM

Didnt work.

0 Karma
Reply

Sukisen1981
Champion
‎09-28-2017 01:37 PM

Tried - https://10.244.161.7:8001?

0 Karma
Reply

alvaroveiga
New Member
‎09-28-2017 02:03 PM

Doesnt work..

0 Karma
Reply

harsmarvania57
Ultra Champion
‎09-28-2017 08:47 PM

Have you tried to access https://10.244.161.7:8000 ? If it's not working then any error logs in $SPLUNK_HOME/var/log/splunk/web_service.log ?

0 Karma
Reply

alvaroveiga
New Member
‎09-29-2017 10:17 AM

Not working, here is the logs:
https://pastebin.com/3Z5pmzCs

Could you please help me understanding it?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...