Splunk Enterprise Security

Failed to execute KV Store lookup

Prakhar_shukla
Path Finder

Since i upgrdaed splunk enterprise to 5.5.3 and installed Enterprise security app, i am getting following error continuously in splunkd.log.

Failed to execute KV Store lookups: External command based lookup 'action_history_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
04-25-2017 12:27:02.312 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

and some other failed external commands.

0 Karma
1 Solution

Prakhar_shukla
Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma

Prakhar_shukla
Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

0 Karma

LukeMurphey
Champion

Do you see anything that may indicate problems with MongoDB? You can see the logs with the following search:

index=_internal sourcetype=mongod
0 Karma

Prakhar_shukla
Path Finder

it seems normal. Error is coming since i upgraded Enterprise and installed ES

04-26-2017 09:06:02.289 +0200 ERROR KVStoreLookup - Failed to create lookup context
04-26-2017 09:06:02.289 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

0 Karma

krish3
Contributor

Give it sometime to run datamodels and lookup builds to complete.

0 Karma

Prakhar_shukla
Path Finder

its been 3 days, after installation i did nothing in ES or splunk

0 Karma

krish3
Contributor

Try running this search and post the output:

|rest /services/server/info|table host kvStoreStatus

Prakhar_shukla
Path Finder

KvStorestatus is starting for both the serach head.

0 Karma

krish3
Contributor

Did you have a look at this case and check for permission for KVstore files & certificates?

The status of KVstore should be "ready".

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...