Splunk Enterprise Security

Failed to execute KV Store lookup

Path Finder

Since i upgrdaed splunk enterprise to 5.5.3 and installed Enterprise security app, i am getting following error continuously in splunkd.log.

Failed to execute KV Store lookups: External command based lookup 'action_history_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
04-25-2017 12:27:02.312 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

and some other failed external commands.

0 Karma
1 Solution

Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma

Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma

Champion

Do you see anything that may indicate problems with MongoDB? You can see the logs with the following search:

index=_internal sourcetype=mongod
0 Karma

Path Finder

it seems normal. Error is coming since i upgraded Enterprise and installed ES

04-26-2017 09:06:02.289 +0200 ERROR KVStoreLookup - Failed to create lookup context
04-26-2017 09:06:02.289 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

0 Karma

Contributor

Give it sometime to run datamodels and lookup builds to complete.

0 Karma

Path Finder

its been 3 days, after installation i did nothing in ES or splunk

0 Karma

Contributor

Try running this search and post the output:

|rest /services/server/info|table host kvStoreStatus
0 Karma

Path Finder

KvStorestatus is starting for both the serach head.

0 Karma

Contributor

Did you have a look at this case and check for permission for KVstore files & certificates?

The status of KVstore should be "ready".

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!