Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Issues after upgrading Splunk Enterprise security ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good Day All,
I recently upgraded my ES running on a linux box to 5.3. The update went smooth but once the update got finished the investigation tab shows Unexpected token < in JSON at position 0
The incident review shows
External handler failed with code '1' and output: ". See splunkd.log for stderr output.
The content management site shows something about cannot access lookup table as i dont remember exactly what the error is.
The splunkd.log seems to be showing a lot of errors about python 2.4. The site being secure i cannot directly copy the logs out from the server. Has anyone ran into the above listed errors upgrading to splunk ES 5.3?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am actually not sure what fixed my issue but it might be one of the below steps or both.
1. Once the upgrade is completed there are a couple of tasks that have to be done like deleting some files from the ES directory. It is documented in the splunk docs under upgrade of ES. Complete those steps.
2. Completely upgrade your splunk instance to the latest version. Once done, restart the whole instance and the errors will go away.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am actually not sure what fixed my issue but it might be one of the below steps or both.
1. Once the upgrade is completed there are a couple of tasks that have to be done like deleting some files from the ES directory. It is documented in the splunk docs under upgrade of ES. Complete those steps.
2. Completely upgrade your splunk instance to the latest version. Once done, restart the whole instance and the errors will go away.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
same problem, I am going to open a support ticket to get it working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have to copy over a .py file that support gives you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you clear the web browser cache after the upgrade? Do you see any errors in splunkd.log? Did the upgrade complete and all supporting add-ons were successfully updated?
Please share the troubleshooting steps you took after identifying these errors 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didnt clear the browser cache actually. I tried moving the ES to disabled folders, reinstalled the splunk ES app and its the same error. Being a secure site i couldnt copy out the exact logs from the splunkd log. I remember the SA apps and the DA apps complaining about python repeating on the log file every time i try to access the tabs.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
