Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Failed to execute KV Store lookup

Prakhar_shukla
Path Finder
‎04-25-2017 03:32 AM

Since i upgrdaed splunk enterprise to 5.5.3 and installed Enterprise security app, i am getting following error continuously in splunkd.log.

Failed to execute KV Store lookups: External command based lookup 'action_history_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
04-25-2017 12:27:02.312 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

and some other failed external commands.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Prakhar_shukla
Path Finder
‎04-26-2017 05:23 AM

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Prakhar_shukla
Path Finder
‎04-26-2017 05:23 AM

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

0 Karma
Reply
Solved! Jump to solution

LukeMurphey
Champion
‎04-25-2017 10:44 AM

Do you see anything that may indicate problems with MongoDB? You can see the logs with the following search:

index=_internal sourcetype=mongod
0 Karma
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-26-2017 12:06 AM

it seems normal. Error is coming since i upgraded Enterprise and installed ES

04-26-2017 09:06:02.289 +0200 ERROR KVStoreLookup - Failed to create lookup context
04-26-2017 09:06:02.289 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎04-26-2017 12:12 AM

Give it sometime to run datamodels and lookup builds to complete.

0 Karma
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-26-2017 12:18 AM

its been 3 days, after installation i did nothing in ES or splunk

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎04-26-2017 01:35 AM

Try running this search and post the output:

|rest /services/server/info|table host kvStoreStatus
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-26-2017 01:43 AM

KvStorestatus is starting for both the serach head.

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎04-26-2017 01:52 AM

Did you have a look at this case and check for permission for KVstore files & certificates?

The status of KVstore should be "ready".

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...