Since i upgrdaed splunk enterprise to 5.5.3 and installed Enterprise security app, i am getting following error continuously in splunkd.log.
Failed to execute KV Store lookups: External command based lookup 'action_history_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
04-25-2017 12:27:02.312 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
and some other failed external commands.
i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue
i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue
Do you see anything that may indicate problems with MongoDB? You can see the logs with the following search:
index=_internal sourcetype=mongod
it seems normal. Error is coming since i upgraded Enterprise and installed ES
04-26-2017 09:06:02.289 +0200 ERROR KVStoreLookup - Failed to create lookup context
04-26-2017 09:06:02.289 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
Give it sometime to run datamodels and lookup builds to complete.
its been 3 days, after installation i did nothing in ES or splunk
Try running this search and post the output:
|rest /services/server/info|table host kvStoreStatus
KvStorestatus is starting for both the serach head.
Did you have a look at this case and check for permission for KVstore files & certificates?
The status of KVstore should be "ready".