Splunk Enterprise Security

Failed to execute KV Store lookup

Prakhar_shukla
Path Finder

Since i upgrdaed splunk enterprise to 5.5.3 and installed Enterprise security app, i am getting following error continuously in splunkd.log.

Failed to execute KV Store lookups: External command based lookup 'action_history_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
04-25-2017 12:27:02.312 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

and some other failed external commands.

0 Karma
1 Solution

Prakhar_shukla
Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma

Prakhar_shukla
Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

0 Karma

LukeMurphey
Champion

Do you see anything that may indicate problems with MongoDB? You can see the logs with the following search:

index=_internal sourcetype=mongod
0 Karma

Prakhar_shukla
Path Finder

it seems normal. Error is coming since i upgraded Enterprise and installed ES

04-26-2017 09:06:02.289 +0200 ERROR KVStoreLookup - Failed to create lookup context
04-26-2017 09:06:02.289 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

0 Karma

krish3
Contributor

Give it sometime to run datamodels and lookup builds to complete.

0 Karma

Prakhar_shukla
Path Finder

its been 3 days, after installation i did nothing in ES or splunk

0 Karma

krish3
Contributor

Try running this search and post the output:

|rest /services/server/info|table host kvStoreStatus

Prakhar_shukla
Path Finder

KvStorestatus is starting for both the serach head.

0 Karma

krish3
Contributor

Did you have a look at this case and check for permission for KVstore files & certificates?

The status of KVstore should be "ready".

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...