Splunk Enterprise Security

Error when upgrading to Splunk Enterprise Security 6.0

hettervik
Builder

Hi.

I have some problems upgrading to Splunk ES 6.0. Normally I've just done the upgrade in the UI, no problem. However, this time, after I've uploaded the spl-file, checked the "upgrade" check box, and clicked "install", the browser just takes me to an error page. I've tried both Chrome, Firefox and IE. Chrome says "This site can't be reached" and Firefox says "Secure connection failed". Also I've tried installing the spl-file with the CLI install command ./splunk install app <file.spl> -update 1. I don't know if this is supported for Spunk ES, but I tried anyways. Though I get an error message here as well, "Error during app install: failed to extract app from long-file-path: No such file or directory".

Anyone have an idea on how to troubleshoot this, or know any possible fixes?

Alternatively, is there any guide on how to install Splunk ES "manually" by extracting it to the app directory? I've tried this as well, but I get a lot of errors regarding DAs and SEs being in the wrong version, so I guess I would have to upgrade all of these add-ons manually as well, but I'm not sure if this method of upgrading Splunk ES is okay.

1 Solution

hettervik
Builder

I found a workaround. I extracted the spl-file and copied the whole app directory for Splunk ES SplunkEnterpriseSecuritySuite over to my Splunk ES server, and moved it into the app folder, writing over the existing Splunk ES app. Then I ran the Splunk ES install command in the web GUI search bar (which I didn't know existed before just now). First a dry run | essinstall --dry-run, and then the actual run, skipping all TAs | essinstall --skip-ta *.

More information on the essinstall command can be found here: https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity#Install_Splunk_Ente...

View solution in original post

andsov
Explorer

We also experienced the same error message when upgrading to 6.4.1. 

I tried to run the same SPL as you

| essinstall --skip-ta * 

 
Which returned:
Image Pasted at 2021-2-10 11-36.png

So i think that "--skip-ta" might be deprecated. But the following worked for me at least:

| essinstall --ssl_enablement auto

ryansaunders
Explorer

This appears to be caused by the max_upload_size parameter being set too low. Splunk's default max_upload_size is 500, which is smaller than the ES 6.0 installer.

Increase the max_upload_size parameter in web.conf and this should clear up for you.

See step 2 of the installation instructions here: https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity

melnapoles
Engager

It looks like this has been a known issue recorded in the ES v6.0 release notes. Check out issue number SOLNESS-14637 and a listed workaround here: https://docs.splunk.com/Documentation/ES/6.0.0/RN/KnownIssues.

hettervik
Builder

Actually the issue you're referring to seems to be another issue. The problem I had was that I was not able to upload the Splunk ES .spl install file in the first place. Other Splunk install files still worked.

0 Karma

hettervik
Builder

I found a workaround. I extracted the spl-file and copied the whole app directory for Splunk ES SplunkEnterpriseSecuritySuite over to my Splunk ES server, and moved it into the app folder, writing over the existing Splunk ES app. Then I ran the Splunk ES install command in the web GUI search bar (which I didn't know existed before just now). First a dry run | essinstall --dry-run, and then the actual run, skipping all TAs | essinstall --skip-ta *.

More information on the essinstall command can be found here: https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity#Install_Splunk_Ente...

mwyman_splunk
Splunk Employee
Splunk Employee

For version ES 6.4.1, we were able to pass an argument to ignore the ssl_enablement and the installer worked correctly on our search head deployer.    The command was:  splunk search '| essinstall --deployment_type shc_deployer --ssl_enablement ignore' -auth admin:<pwd>

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...