Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Kvstore failed

egko
Loves-to-Learn
‎12-02-2025 10:49 PM

On my current machine, Kvstore is failing.
When I restart Splunk, the Kvstore status is "Ready." However, when I click the Audit Log tab in ES, the status changes to "Failed." This makes it impossible to access other Kvstore-related functions, such as incident review in ES.

I tried changing the server.pem file to a different extension and restarting, as well as changing the mongod.lock and splunk.key files to different extensions and restarting. I also tried changing all configuration files, but nothing worked.

I'm wondering if there are any other solutions.

Please help.

 

Splunk version : 8.1.10.1
Splunk Enterprise Security: 7.0.1

ERROR-Log
Failed to execute KVstore lookups External command based lookup 'goverence_lookup' is not available because KVstore initialization has failed, Contact your system admin...
Failed to create kvstore lookup

 

 

Labels (2)
Tags (1)
0 Karma
Reply

PrewinThomas
Motivator
‎12-03-2025 01:43 AM

@egko 

Your Splunk Enterprise 8.1x is outdated, and Splunk Enterprise Security 7.0.1 is likely incompatible, causing the KV Store to fail (from "Ready" to "Failed") when ES loads.

Upgrade Splunk Enterprise, then upgrade ES to a compatible version.

#https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.0/upgrade-or-migrate-...


Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

thahir
Contributor
‎12-02-2025 11:26 PM

@egko  Take the backup of KV store
ref: https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.4/administer-the-app-key... 

and try to clean the kvstore and restart the splunk.

check the status 

splunk show kvstore-status --verbose

splunk stop
splunk clean kvstore --local
splunk start

please refer the below document as well for more details about kv store troubleshooting

https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.0/welcome-to-splunk-enterpris... 

 

 

0 Karma
Reply

egko
Loves-to-Learn
‎12-03-2025 12:19 AM

The mongod.lock file is 0 bytes no matter how many times I restart it.

0 Karma
Reply

thahir
Contributor
‎12-03-2025 12:21 AM

@egko  remove the lock file and clean up the kvstore and do the restart

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...