Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrading to 6.5.0, KV Store will not start

jcrabb_splunk
Splunk Employee
Splunk Employee
‎10-05-2016 09:29 AM

After upgrading to Splunk Enterprise 6.5.0, the KV Store will not start. On my indexers I see:

10/5/2016, 5:44:56 AM:

Search peer indexer01.domain.local has the following message: Failed to start KV Store process. See mongod.log and splunkd.log for details.

In splunkd.log I find:

10-05-2016 05:44:56.087 +0000 ERROR MongodRunner - mongod exited abnormally (exit code 14, status: exited with code 14) - look at mongod.log to investigate.

Looking in the mongod.log I find:

2016-10-05T05:44:56.753Z W CONTROL  No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter
 2016-10-05T05:44:56.761Z F NETWORK  The provided SSL certificate is expired or not yet valid.
 2016-10-05T05:44:56.761Z I -        Fatal Assertion 28652
 2016-10-05T05:44:56.761Z I -
 ***aborting after fassert() failure

How can this be resolved?

Jacob
Sr. Technical Support Engineer
Reply
1 Solution
Solved! Jump to solution
Solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎10-05-2016 09:35 AM

This can happen if the cert used by Splunkd to talk to Mongod has expired. Verify your certs are valid. For example, to validate the expiration date for server.pem you can run:

From $SPLUNK_HOME/etc/auth/

openssl x509 -enddate -noout -in ./server.pem

Results:

notAfter=Dec  10 14:017:25 2015 GMT

In the example above, the cert is expired. If you want to create a new cert you can look at splunk createssl:

$SPLUNK_HOME/bin/splunk help createssl

An example:

$SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n server -c cn.domain.com -l 2048

Simply adjust for your environment requirements/settings. Once the new cert is in place, you can test to confirm it is valid:

From $SPLUNK_HOME/etc/auth/

openssl x509 -enddate -noout -in ./server.pem

Results:

notAfter=Aug 22 15:30:45 2019 GMT

If it is now valid, restart Splunk and validate if KVStore is running:

ps -ax | grep mongod

26108 ?        Ssl   62:11 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=200 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --replSet=50D25A40-7DD2-4017-A223-732705AD4A96 --sslAllowInvalidHostnames --sslMode=preferSSL --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx --nounixsocket

And also:

$SPLUNK_HOME/bin/splunk _internal call /services/server/info |grep -i kvstore

<s:key name="kvStoreStatus">ready</s:key>

A third way to check is to run the following search from command line on the instance where you have the "Deployment Management Console / Monitor Console" Configured.

$SPLUNK_HOME/bin/splunk search "| rest /services/server/info splunk_server=* | fields splunk_server, kvStoreStatus"

          splunk_server       kvStoreStatus
    ------------------------- -------------
    indexer01.domain.com      ready
    indexer02.domain.com      ready
    indexer03.domain.com      ready
    indexer04.domain.com      ready
    indexer05.domain.com      ready
Jacob
Sr. Technical Support Engineer

View solution in original post

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...