We encountered some issues when upgrading our clustered indexes infrastructure from 7.2.4 to 7.2.5. The upgrade process for all machines worked as expected, however, when trying to access our search head, it seemed not to be able to communicate with the rest of our infrastructure.
After debugging the logfiles we found out that some of our defined FIELDALIAS'es in the props.conf
on one of our custom apps was causing the search head to fatally crash. The following line within the crash log seemed to be at the base of the problem.
03-28-2019 16:24:20.505 WARN FieldAliaser - Invalid field alias specification in stanza 'XXX': FIELDALIAS-file_hash='TargetHash' (type='targethash')
03-28-2019 16:24:20.548 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-user' in stanza [XXX]: The expression is malformed. Expected ).
Even though the log does not indicate it to be an error, these were the last couple of lines prior to the application crashing. After uncommenting these field aliases in the application, all functionality went back to normal. Prior to the upgrade, however, these aliases did not have any impact on the search head's functionality.
I am wondering whether something changed with the current upgrade that could cause this issue. After looking into the patchnotes, I could not determine any significant changes that would. We rely on those custom apps for our day-to-day operations and having those fields is essential for us.
Hi,
There is bug in Splunk Enterprise 7.2.5 and splunk released patch release 7.2.5.1 yesterday. So please upgrade to 7.2.5.1
Splunk Enterprise 7.2.5.1 was released on March 28, 2019. Version 7.2.5 introduced a defect (SPL-167959) that causes crashes in deployments that have invalid FIELDALIAS definitions in props.conf. Version 7.2.5.1 prevents these crashes from occurring.
Hi,
There is bug in Splunk Enterprise 7.2.5 and splunk released patch release 7.2.5.1 yesterday. So please upgrade to 7.2.5.1
Splunk Enterprise 7.2.5.1 was released on March 28, 2019. Version 7.2.5 introduced a defect (SPL-167959) that causes crashes in deployments that have invalid FIELDALIAS definitions in props.conf. Version 7.2.5.1 prevents these crashes from occurring.
We upgraded our infrastructure without any problems this time around. Thank you for your answer.