Solved: Splunk 7.3 - Fail on Fetch tokens collection

marcus_santos_s · ‎07-03-2019

Regards,

I upgraded my Splunk server from version 7.1.2 to 7.3 and received the error ** Failed to fetch search tokens. Details: [object Response] ** when I enable the Token Authentication feature. Can anyone help solve this problem?

codebuilder · ‎07-04-2019

I've encountered this issue when upgrading from 7.0.x to 7.2.x.

The solution that worked for me was to first determine captaincy within the SHC.
Cycle Splunk on the captain, which will force a new election.
One Splunk is again healthy on the previous captain, force a re-sync of the KV Store.
Validate via splunkd logs and/or DMC.

Jon
(always test in non-prod!)

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎07-04-2019

I've encountered this issue when upgrading from 7.0.x to 7.2.x.

The solution that worked for me was to first determine captaincy within the SHC.
Cycle Splunk on the captain, which will force a new election.
One Splunk is again healthy on the previous captain, force a re-sync of the KV Store.
Validate via splunkd logs and/or DMC.

Jon
(always test in non-prod!)

----
An upvote would be appreciated and Accept Solution if it helps!

marcus_santos_s · ‎07-15-2019

Hi, @codebuilder,

I understood, but I have a standalone instance and not a search head cluster.
Probably this solution would not work for me but I'll try to resynchronize the kvstore.

marcus_santos_s · ‎07-15-2019

Taking into account what you said, I did a clean up at the KV Store.
This command solved for me:

SPLUNK_BIN/splunk clean kvstore --local

Splunk 7.3 - Fail on Fetch tokens collection

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases