Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Failed to execute KV Store lookup

Prakhar_shukla
Path Finder
‎04-25-2017 03:32 AM

Since i upgrdaed splunk enterprise to 5.5.3 and installed Enterprise security app, i am getting following error continuously in splunkd.log.

Failed to execute KV Store lookups: External command based lookup 'action_history_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
04-25-2017 12:27:02.312 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

and some other failed external commands.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Prakhar_shukla
Path Finder
‎04-26-2017 05:23 AM

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Prakhar_shukla
Path Finder
‎04-26-2017 05:23 AM

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

0 Karma
Reply
Solved! Jump to solution

LukeMurphey
Champion
‎04-25-2017 10:44 AM

Do you see anything that may indicate problems with MongoDB? You can see the logs with the following search:

index=_internal sourcetype=mongod
0 Karma
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-26-2017 12:06 AM

it seems normal. Error is coming since i upgraded Enterprise and installed ES

04-26-2017 09:06:02.289 +0200 ERROR KVStoreLookup - Failed to create lookup context
04-26-2017 09:06:02.289 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎04-26-2017 12:12 AM

Give it sometime to run datamodels and lookup builds to complete.

0 Karma
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-26-2017 12:18 AM

its been 3 days, after installation i did nothing in ES or splunk

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎04-26-2017 01:35 AM

Try running this search and post the output:

|rest /services/server/info|table host kvStoreStatus
Reply
Solved! Jump to solution

Prakhar_shukla
Path Finder
‎04-26-2017 01:43 AM

KvStorestatus is starting for both the serach head.

0 Karma
Reply
Solved! Jump to solution

krish3
Contributor
‎04-26-2017 01:52 AM

Did you have a look at this case and check for permission for KVstore files & certificates?

The status of KVstore should be "ready".

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...