Hi Team,
I have upgraded my splunk standalone enterprise (indexer) from 6.4.1 to 7.0.0. i am not able to see data in my MC. Also in resource usage tab under Machine information the instance i see is not same as i have in my general setup. Also the instance under machine information is not reachable and uri is blank. Could someone help me with thsi.
Thanks.
The pass4SymmKey hashing algorithm changed between those two versions.
Try re-entering the pass4SymmKey in plain text on each node in server.conf, then cycle Splunk and try again.
That should resolve it for you.
I tried the same but had no luck with it. Is there any other things i need to do/verify?
Thanks in advance!
Ensure that the log file directory and/or parent directory is still owned by your Splunk user.
This can change during an upgrade, depending on which user you used to install.
For Linux (I'm not a Windows guy) use the following:
chown -RP splunk:splunk /opt/splunk
That command assumes you're running Splunk as "splunk" and installed at /opt/splunk (obviously).
i did upgrade with splunk user only. The point to be noticed here is when i search for index=_introspection i can see that logs are getting indexed but no data shows in my splunk MC. As stated earlier my instance name under Machine info is different from the instance name in general settings.
Also, the instance under machine info is unreachable. So i changed my server Name and host in both server.conf and inputs.conf respectively to see if the instance under machine instance is being fetched from these logs. But it did not worked.
Thanks!