Splunk Enterprise Security

Failed to execute KV Store lookup

Path Finder

Since i upgrdaed splunk enterprise to 5.5.3 and installed Enterprise security app, i am getting following error continuously in splunkd.log.

Failed to execute KV Store lookups: External command based lookup 'action_history_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
04-25-2017 12:27:02.312 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

and some other failed external commands.

0 Karma
1 Solution

Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma

Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma

Champion

Do you see anything that may indicate problems with MongoDB? You can see the logs with the following search:

index=_internal sourcetype=mongod
0 Karma

Path Finder

it seems normal. Error is coming since i upgraded Enterprise and installed ES

04-26-2017 09:06:02.289 +0200 ERROR KVStoreLookup - Failed to create lookup context
04-26-2017 09:06:02.289 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

0 Karma

Contributor

Give it sometime to run datamodels and lookup builds to complete.

0 Karma

Path Finder

its been 3 days, after installation i did nothing in ES or splunk

0 Karma

Contributor

Try running this search and post the output:

|rest /services/server/info|table host kvStoreStatus
0 Karma

Path Finder

KvStorestatus is starting for both the serach head.

0 Karma

Contributor

Did you have a look at this case and check for permission for KVstore files & certificates?

The status of KVstore should be "ready".

0 Karma