Splunk Enterprise Security

After upgrade to 7.2.5 due to FIELDALIAS in app props.conf, why is my search head crashing?

hexerino
Explorer

We encountered some issues when upgrading our clustered indexes infrastructure from 7.2.4 to 7.2.5. The upgrade process for all machines worked as expected, however, when trying to access our search head, it seemed not to be able to communicate with the rest of our infrastructure.

After debugging the logfiles we found out that some of our defined FIELDALIAS'es in the props.conf on one of our custom apps was causing the search head to fatally crash. The following line within the crash log seemed to be at the base of the problem.

03-28-2019 16:24:20.505 WARN  FieldAliaser - Invalid field alias specification in stanza 'XXX': FIELDALIAS-file_hash='TargetHash' (type='targethash')
    03-28-2019 16:24:20.548 WARN  CalcFieldProcessor - Invalid eval expression for 'EVAL-user' in stanza [XXX]: The expression is malformed. Expected ).

Even though the log does not indicate it to be an error, these were the last couple of lines prior to the application crashing. After uncommenting these field aliases in the application, all functionality went back to normal. Prior to the upgrade, however, these aliases did not have any impact on the search head's functionality.

I am wondering whether something changed with the current upgrade that could cause this issue. After looking into the patchnotes, I could not determine any significant changes that would. We rely on those custom apps for our day-to-day operations and having those fields is essential for us.

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

There is bug in Splunk Enterprise 7.2.5 and splunk released patch release 7.2.5.1 yesterday. So please upgrade to 7.2.5.1

Splunk Enterprise 7.2.5.1 was released on March 28, 2019. Version 7.2.5 introduced a defect (SPL-167959) that causes crashes in deployments that have invalid FIELDALIAS definitions in props.conf. Version 7.2.5.1 prevents these crashes from occurring. 

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

There is bug in Splunk Enterprise 7.2.5 and splunk released patch release 7.2.5.1 yesterday. So please upgrade to 7.2.5.1

Splunk Enterprise 7.2.5.1 was released on March 28, 2019. Version 7.2.5 introduced a defect (SPL-167959) that causes crashes in deployments that have invalid FIELDALIAS definitions in props.conf. Version 7.2.5.1 prevents these crashes from occurring. 
0 Karma

hexerino
Explorer

We upgraded our infrastructure without any problems this time around. Thank you for your answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...