Splunk Enterprise Security

Splunk ES 6.0 failed set up - Postinstall failure

barry
Explorer

I tried to install ES 6.0 in my server and it fails during postinstall. Have anyone experienced the same issue?

alt text

See the logs below.


11-06-2019 14:07:53.198 INFO dispatchRunner - Search process mode: preforked (reused process by new user) (build bd63e13aa157).
11-06-2019 14:07:53.198 INFO dispatchRunner - registering build time modules, count=1
11-06-2019 14:07:53.198 INFO dispatchRunner - registering search time components of build time module name=vix
11-06-2019 14:07:53.200 INFO BundlesSetup - Setup stats for /opt/splunk/etc: wallclock_elapsed_msec=11, cpu_time_used=0.009342, shared_services_generation=2, shared_services_population=1
11-06-2019 14:07:53.200 INFO UserManagerPro - Load authentication: forcing roles="admin, ess_admin, ess_analyst, ess_user, power, user"
11-06-2019 14:07:53.201 INFO UserManager - Setting user context: splunk-system-user
11-06-2019 14:07:53.201 INFO UserManager - Done setting user context: NULL -> splunk-system-user
11-06-2019 14:07:53.202 INFO UserManager - Unwound user context: splunk-system-user -> NULL
11-06-2019 14:07:53.202 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.202 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.202 INFO dispatchRunner - search context: user="admin", app="SplunkEnterpriseSecuritySuite", bs-pathname="/opt/splunk/etc"
11-06-2019 14:07:53.202 INFO SearchParser - PARSING: | essinstall --deployment_type search_head
11-06-2019 14:07:53.203 INFO dispatchRunner - SearchHeadInitSearchMs=2
11-06-2019 14:07:53.203 INFO SearchParser - PARSING: | essinstall --deployment_type search_head
11-06-2019 14:07:53.203 INFO SearchParser - PARSING: | essinstall --deployment_type search_head
11-06-2019 14:07:53.203 INFO dispatchRunner - Executing the Search orchestrator and iterator model (dfs=0).
11-06-2019 14:07:53.204 INFO SearchOrchestrator - SearchOrchestrator getting constructed
11-06-2019 14:07:53.204 INFO SearchOrchestrator - Initialized the SRI
11-06-2019 14:07:53.204 INFO ISplunkDispatch - Not running in splunkd. Bundle replication not triggered.
11-06-2019 14:07:53.204 INFO SearchOrchestrator - Initialzing the run time settings for the orchestrator.
11-06-2019 14:07:53.204 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.204 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.204 INFO SearchOrchestrator - Creating the search DAG.
11-06-2019 14:07:53.204 INFO SearchParser - PARSING: | essinstall --deployment_type search_head
11-06-2019 14:07:53.206 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py
11-06-2019 14:07:53.349 INFO ChunkedExternProcessor - Custom search command is a generating command.
11-06-2019 14:07:53.349 INFO DispatchThread - BatchMode: allowBatchMode: 0, conf(1): 1, timeline/Status buckets(0):0, realtime(0):0, report pipe empty(0):1, reqTimeOrder(0):0, summarize(0):0, statefulStreaming(0):1
11-06-2019 14:07:53.350 INFO DispatchThread - Setup timeliner partialCommits=0
11-06-2019 14:07:53.350 INFO DispatchThread - required fields list to add to remote search = bkt,_cd,_si,host,index,linecount,source,sourcetype,splunk_server
11-06-2019 14:07:53.350 INFO DispatchCommandProcessor - summaryHash=NS3d9d854163f8f07a summaryId=E2639927-1004-462D-B8F0-B3F38EA22E02_SplunkEnterpriseSecuritySuite_admin_NS3d9d854163f8f07a remoteSearch=
11-06-2019 14:07:53.353 INFO SearchParser - PARSING: | essinstall --deployment_type search_head
11-06-2019 14:07:53.353 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py
11-06-2019 14:07:53.499 INFO ChunkedExternProcessor - Custom search command is a generating command.
11-06-2019 14:07:53.499 INFO AstOptimizer - SrchOptMetrics optimize_toJson=0.145976957
11-06-2019 14:07:53.508 INFO SearchParser - PARSING: | essinstall --deployment_type search_head
11-06-2019 14:07:53.508 INFO ProjElim - Black listed processors=[addinfo]
11-06-2019 14:07:53.513 INFO AstOptimizer - Search optimizations have been disabled in limits.conf. Set enabled=true in [search_optimization::replace_stats_cmds_with_tstats]
11-06-2019 14:07:53.513 INFO AstVisitorFactory - Not building visitor : replace_stats_cmds_with_tstats
11-06-2019 14:07:53.513 INFO AstOptimizer - SrchOptMetrics optimization=0.004491601
11-06-2019 14:07:53.513 INFO SearchPhaseGenerator - Optimized Search =| essinstall --deployment_type search_head
11-06-2019 14:07:53.513 INFO ParallelReducePolicy - Current Search Head doesn't have any usable peers to use.
11-06-2019 14:07:53.513 INFO PhaseNodeGenerationVisitor - User lacking run_multi_phased_searches, rolling back to 2-phase mode.
11-06-2019 14:07:53.513 INFO PhaseToPipelineVisitor - Phase Search = | essinstall --deployment_type search_head
11-06-2019 14:07:53.513 INFO SearchParser - PARSING: | essinstall --deployment_type search_head
11-06-2019 14:07:53.513 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py
11-06-2019 14:07:53.657 INFO ChunkedExternProcessor - Custom search command is a generating command.
11-06-2019 14:07:53.657 INFO SearchPipeline - ReportSearch=0 AllowBatchMode=0
11-06-2019 14:07:53.657 INFO SearchPhaseGenerator - Storing only 1000 events per timeline buckets due to limits.conf max_events_per_bucket setting.
11-06-2019 14:07:53.657 INFO SearchPhaseGenerator - No need for RTWindowProcessor
11-06-2019 14:07:53.657 INFO SearchPhaseGenerator - Adding timeliner to final phase
11-06-2019 14:07:53.657 INFO SearchParser - PARSING: timeliner remote=0 partial_commits=0 max_events_per_bucket=1000 fieldstats_update_maxperiod=60 bucket=300
11-06-2019 14:07:53.658 INFO TimelineCreator - Creating timeline with remote=0 partialCommits=0 commitFreq=0 syncKSFreq=0 maxSyncKSPeriodTime=60000 bucket=300 latestTime=0.000000 earliestTime=2147483647.000000
11-06-2019 14:07:53.658 INFO SearchPhaseGenerator - required fields list to add to different pipelines = _bkt,_cd,_si,host,index,linecount,source,sourcetype,splunk_server
11-06-2019 14:07:53.658 INFO SearchPhaseGenerator - Search Phases created.
11-06-2019 14:07:53.659 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.659 INFO UserManager - Done setting user context: admin -> admin
11-06-2019 14:07:53.659 INFO UserManager - Unwound user context: admin -> admin
11-06-2019 14:07:53.659 INFO DistributedSearchResultCollectionManager - Stream search:
11-06-2019 14:07:53.659 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.659 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.659 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:07:53.659 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.659 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.659 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:07:53.659 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.659 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.659 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:07:53.659 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.659 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.659 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:07:53.659 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.659 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.659 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:07:53.659 INFO SearchPhaseGenerator - Time spends on creating distributed search results infrastructure; dispatchcreatedSearchResultInfrastructure=0.000424580 seconds.
11-06-2019 14:07:53.659 INFO SearchParser - PARSING: | streamnoop
11-06-2019 14:07:53.659 INFO SearchParser - PARSING: streamnoop | essinstall --deployment_type search_head | timeliner remote=0 partial_commits=0 max_events_per_bucket=1000 fieldstats_update_maxperiod=60 bucket=300
11-06-2019 14:07:53.660 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py
11-06-2019 14:07:53.797 INFO ChunkedExternProcessor - Custom search command is a generating command.
11-06-2019 14:07:53.797 INFO ChunkedExternProcessor - Exiting custom search command after getinfo since we are in preview mode:essinstall
11-06-2019 14:07:53.800 INFO TimelineCreator - Creating timeline with remote=0 partialCommits=0 commitFreq=0 syncKSFreq=0 maxSyncKSPeriodTime=60000 bucket=300 latestTime=0.000000 earliestTime=2147483647.000000
11-06-2019 14:07:53.800 INFO SearchOrchestrator - Starting the status control thread.
11-06-2019 14:07:53.800 INFO SearchOrchestrator - Starting phase=1
11-06-2019 14:07:53.800 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.800 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.800 INFO ReducePhaseExecutor - Stating phase_1
11-06-2019 14:07:53.800 INFO UserManager - Setting user context: admin
11-06-2019 14:07:53.800 INFO UserManager - Done setting user context: NULL -> admin
11-06-2019 14:07:53.800 INFO SearchStatusEnforcer - Enforcing disk quota = 26214400000
11-06-2019 14:07:53.800 INFO PreviewExecutor - Preview Enforcing initialization done
11-06-2019 14:07:53.886 INFO ChunkedExternProcessor - stderr: STAGE STARTING: "refresh"
11-06-2019 14:07:53.886 INFO ChunkedExternProcessor - stderr: stage="refresh" msg="Installation record found"
11-06-2019 14:07:53.886 INFO ChunkedExternProcessor - stderr: stage="refresh" msg="State data loaded."
11-06-2019 14:07:53.887 INFO ChunkedExternProcessor - stderr: stage="refresh" msg="TAs to install: set([])"
11-06-2019 14:07:53.887 INFO ChunkedExternProcessor - stderr: stage="refresh" msg="TAs to disable: set([])"
11-06-2019 14:07:53.887 INFO ChunkedExternProcessor - stderr: stage="refresh" msg="TAs to skip: set([])"
11-06-2019 14:07:53.887 INFO ChunkedExternProcessor - stderr: stage="refresh" app="splunk_gdi" status="enabled,unmanaged,denies_disable" msg="currently installed version: 1.0.2"
11-06-2019 14:07:53.887 INFO ChunkedExternProcessor - stderr: stage="refresh" app="launcher" status="enabled,unmanaged,denies_disable" msg="currently installed version: None"
11-06-2019 14:07:53.887 INFO ChunkedExternProcessor - stderr: stage="refresh" app="splunk_instrumentation" status="enabled,unmanaged,denies_disable" msg="currently installed version: 4.2.2"
11-06-2019 14:07:53.887 INFO ChunkedExternProcessor - stderr: stage="refresh" app="splunk_monitoring_console" status="enabled,unmanaged,allows_disable" msg="currently installed version: 7.3.1"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="appsbrowser" status="enabled,unmanaged,denies_disable" msg="currently installed version: 7.3.1"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="endacestream" status="enabled,unmanaged,allows_disable" msg="currently installed version: 0.2.1"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="SplunkLightForwarder" status="disabled,unmanaged,allows_disable" msg="currently installed version: None"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="learned" status="enabled,unmanaged,allows_disable" msg="currently installed version: None"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="gettingstarted" status="disabled,unmanaged,allows_disable" msg="currently installed version: 1.0"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="splunk_metrics_workspace" status="enabled,unmanaged,allows_disable" msg="currently installed version: 1.1.6"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="sample_app" status="disabled,unmanaged,allows_disable" msg="currently installed version: None"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="search" status="enabled,unmanaged,denies_disable" msg="currently installed version: 7.3.1"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="alert_webhook" status="enabled,unmanaged,allows_disable" msg="currently installed version: 7.3.1"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="introspection_generator_addon" status="enabled,unmanaged,allows_disable" msg="currently installed version: 7.3.1"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="endace" status="enabled,unmanaged,allows_disable" msg="currently installed version: 3.0.0"
11-06-2019 14:07:53.888 INFO ChunkedExternProcessor - stderr: stage="refresh" app="legacy" status="disabled,unmanaged,allows_disable" msg="currently installed version: None"
11-06-2019 14:07:53.889 INFO ChunkedExternProcessor - stderr: stage="refresh" app="SplunkEnterpriseSecuritySuite" status="enabled,unmanaged,allows_disable" msg="currently installed version: 6.0.0"
11-06-2019 14:07:53.889 INFO ChunkedExternProcessor - stderr: stage="refresh" app="splunk_archiver" status="enabled,unmanaged,allows_disable" msg="currently installed version: 1.0"
11-06-2019 14:07:53.889 INFO ChunkedExternProcessor - stderr: stage="refresh" app="SplunkForwarder" status="disabled,unmanaged,allows_disable" msg="currently installed version: None"
11-06-2019 14:07:53.889 INFO ChunkedExternProcessor - stderr: stage="refresh" app="splunk_httpinput" status="enabled,unmanaged,allows_disable" msg="currently installed version: None"
11-06-2019 14:07:53.889 INFO ChunkedExternProcessor - stderr: stage="refresh" app="alert_logevent" status="enabled,unmanaged,allows_disable" msg="currently installed version: 7.3.1"
11-06-2019 14:07:53.889 INFO ChunkedExternProcessor - stderr: STAGE COMPLETE: "refresh"
11-06-2019 14:07:53.890 INFO ChunkedExternProcessor - stderr: STAGE STARTING: "deprecate_apps"
11-06-2019 14:07:53.891 INFO ChunkedExternProcessor - stderr: stage="deprecate_apps" msg="Installation record found"
11-06-2019 14:07:53.891 INFO ChunkedExternProcessor - stderr: stage="deprecate_apps" msg="State data loaded."
11-06-2019 14:07:53.891 INFO ChunkedExternProcessor - stderr: stage="deprecate_apps" msg="TAs to install: set([])"
11-06-2019 14:07:53.891 INFO ChunkedExternProcessor - stderr: stage="deprecate_apps" msg="TAs to disable: set([])"
11-06-2019 14:07:53.891 INFO ChunkedExternProcessor - stderr: stage="deprecate_apps" msg="TAs to skip: set([])"
11-06-2019 14:07:53.892 INFO ChunkedExternProcessor - stderr: stage="deprecate_apps" msg="No apps require deprecation"
11-06-2019 14:07:53.892 INFO ChunkedExternProcessor - stderr: STAGE COMPLETE: "deprecate_apps"
11-06-2019 14:07:53.893 INFO ChunkedExternProcessor - stderr: STAGE STARTING: "disable_apps"
11-06-2019 14:07:53.893 INFO ChunkedExternProcessor - stderr: stage="disable_apps" msg="Installation record found"
11-06-2019 14:07:53.893 INFO ChunkedExternProcessor - stderr: stage="disable_apps" msg="State data loaded."
11-06-2019 14:07:53.893 INFO ChunkedExternProcessor - stderr: stage="disable_apps" msg="TAs to install: set([])"
11-06-2019 14:07:53.893 INFO ChunkedExternProcessor - stderr: stage="disable_apps" msg="TAs to disable: set([])"
11-06-2019 14:07:53.894 INFO ChunkedExternProcessor - stderr: stage="disable_apps" msg="TAs to skip: set([])"
11-06-2019 14:07:53.894 INFO ChunkedExternProcessor - stderr: stage="disable_apps" msg="No apps require the action"
11-06-2019 14:07:53.894 INFO ChunkedExternProcessor - stderr: STAGE COMPLETE: "disable_apps"
11-06-2019 14:07:53.901 INFO ChunkedExternProcessor - stderr: STAGE STARTING: "install_apps"
11-06-2019 14:07:53.901 INFO ChunkedExternProcessor - stderr: stage="install_apps" msg="Installation record found"
11-06-2019 14:07:53.901 INFO ChunkedExternProcessor - stderr: stage="install_apps" msg="State data loaded."
11-06-2019 14:07:53.902 INFO ChunkedExternProcessor - stderr: stage="install_apps" msg="TAs to install: set([])"
11-06-2019 14:07:53.902 INFO ChunkedExternProcessor - stderr: stage="install_apps" msg="TAs to disable: set([])"
11-06-2019 14:07:53.902 INFO ChunkedExternProcessor - stderr: stage="install_apps" msg="TAs to skip: set([])"
11-06-2019 14:07:54.049 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="TA-tippingpoint" filename="TA-tippingpoint-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:54.157 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_juniper" filename="Splunk_TA_juniper-1.2.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:54.353 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_ueba" filename="Splunk_TA_ueba-2.0.0-1632.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:54.699 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=PREVIEW
11-06-2019 14:07:55.188 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="SA-EndpointProtection" filename="SA-EndpointProtection-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:56.656 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="SA-IdentityManagement" filename="SA-IdentityManagement-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:56.858 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_rsa-securid" filename="Splunk_TA_rsa-securid-1.1.0-2.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:57.124 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_sophos" filename="Splunk_TA_sophos-3.2.0-228699.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:57.475 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_symantec-ep" filename="Splunk_TA_symantec-ep-3.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:57.681 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="TA-cef" filename="TA-cef-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:58.097 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="SA-AuditAndDataProtection" filename="SA-AuditAndDataProtection-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:58.300 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="TA-fortinet" filename="TA-fortinet-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:07:58.515 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="SA-UEBA" filename="SA-UEBA-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:02.858 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_SA_Scientific_Python_linux_x86_64" filename="Splunk_SA_Scientific_Python_linux_x86_64-1.4-0.tgz" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:03.072 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_sourcefire" filename="Splunk_TA_sourcefire-3.3.2-8.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:03.924 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_SA_CIM" filename="Splunk_SA_CIM-4.14.0-6.tgz" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:05.821 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_ML_Toolkit" filename="Splunk_ML_Toolkit-4.4.2-1570089254491.tgz" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:06.027 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="TA-trendmicro" filename="TA-trendmicro-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:06.523 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="SA-AccessProtection" filename="SA-AccessProtection-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:06.748 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_bro" filename="Splunk_TA_bro-4.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:07.056 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="TA-alcatel" filename="TA-alcatel-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:07.372 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_nix" filename="Splunk_TA_nix-7.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:08.201 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="SA-NetworkProtection" filename="SA-NetworkProtection-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:08.614 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="DA-ESS-IdentityManagement" filename="DA-ESS-IdentityManagement-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:08.930 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_websense-cg" filename="Splunk_TA_websense-cg-1.1.0-1.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:09.284 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_oracle" filename="Splunk_TA_oracle-3.7.0-1.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:09.613 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_mcafee" filename="Splunk_TA_mcafee-2.2.1-1.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:11.412 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="SA-Utils" filename="SA-Utils-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:11.527 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="TA-airdefense" filename="TA-airdefense-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:11.808 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_bluecoat-proxysg" filename="Splunk_TA_bluecoat-proxysg-3.6.0-2.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:11.929 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="DA-ESS-EndpointProtection" filename="DA-ESS-EndpointProtection-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:12.058 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="DA-ESS-AccessProtection" filename="DA-ESS-AccessProtection-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:12.737 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="DA-ESS-NetworkProtection" filename="DA-ESS-NetworkProtection-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:12.861 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="TA-ftp" filename="TA-ftp-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:14.559 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="DA-ESS-ThreatIntelligence" filename="DA-ESS-ThreatIntelligence-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:14.790 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_ossec" filename="Splunk_TA_ossec-4.0.1-10.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:16.956 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="SA-ThreatIntelligence" filename="SA-ThreatIntelligence-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:17.179 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="TA-nmap" filename="TA-nmap-6.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:18.271 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=PREVIEW
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: stage="install_apps" app="Splunk_TA_windows" filename="Splunk_TA_windows-7.0.0-3.spl" upgrade="False" status="True" msg="installed"
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: stage="install_apps" msg="No apps require the action"
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: STAGE COMPLETE: "install_apps"
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: STAGE STARTING: "reenable_apps"
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" msg="Installation record found"
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" msg="State data loaded."
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" msg="TAs to install: set([])"
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" msg="TAs to disable: set([])"
11-06-2019 14:08:18.272 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" msg="TAs to skip: set([])"
11-06-2019 14:08:19.569 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" app="SA-NetworkProtection" status="True" msg="enable"
11-06-2019 14:08:20.588 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" app="SA-EndpointProtection" status="True" msg="enable"
11-06-2019 14:08:21.969 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" app="SA-IdentityManagement" status="True" msg="enable"
11-06-2019 14:08:23.512 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" app="SA-ThreatIntelligence" status="True" msg="enable"
11-06-2019 14:08:24.624 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" app="SA-AuditAndDataProtection" status="True" msg="enable"
11-06-2019 14:08:26.692 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" app="SA-Utils" status="True" msg="enable"
11-06-2019 14:08:27.080 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" app="Splunk_ML_Toolkit" status="True" msg="enable"
11-06-2019 14:08:28.064 INFO ChunkedExternProcessor - stderr: stage="reenable_apps" app="SA-AccessProtection" status="True" msg="enable"
11-06-2019 14:08:28.064 INFO ChunkedExternProcessor - stderr: STAGE COMPLETE: "reenable_apps"
11-06-2019 14:08:28.067 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=PREVIEW
11-06-2019 14:08:28.067 INFO ChunkedExternProcessor - stderr: STAGE STARTING: "postinstall"
11-06-2019 14:08:28.098 INFO ChunkedExternProcessor - stderr: Skipping action for the app_permissions_manager://enforce_es_permissions modular input (may already be enabled)
11-06-2019 14:08:28.098 INFO ChunkedExternProcessor - stderr: Skipping action for the configuration_check://confcheck_es_identity_correlation modular input (may already be enabled)
11-06-2019 14:08:28.170 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Application_State modular input
11-06-2019 14:08:28.275 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Authentication modular input
11-06-2019 14:08:28.488 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Certificates modular input
11-06-2019 14:08:28.659 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Change modular input
11-06-2019 14:08:29.029 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Change_Analysis modular input
11-06-2019 14:08:29.140 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Domain_Analysis modular input
11-06-2019 14:08:29.218 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Email modular input
11-06-2019 14:08:29.285 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Endpoint modular input
11-06-2019 14:08:29.354 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Incident_Management modular input
11-06-2019 14:08:29.421 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Intrusion_Detection modular input
11-06-2019 14:08:29.526 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Malware modular input
11-06-2019 14:08:29.589 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Network_Resolution modular input
11-06-2019 14:08:29.663 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Network_Sessions modular input
11-06-2019 14:08:29.733 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Network_Traffic modular input
11-06-2019 14:08:29.798 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Performance modular input
11-06-2019 14:08:29.863 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Risk modular input
11-06-2019 14:08:29.927 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Splunk_Audit modular input
11-06-2019 14:08:29.995 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Ticket_Management modular input
11-06-2019 14:08:30.066 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Updates modular input
11-06-2019 14:08:30.150 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Vulnerabilities modular input
11-06-2019 14:08:30.216 INFO ChunkedExternProcessor - stderr: Enabled the dm_accel_settings://Web modular input
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Error enabling the threat_intelligence_manager://da_ess_threat_default modular input
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/DA-ESS-ThreatIntelligence/data/inputs/threat_intelligence_m...; [{'code': None, 'text': 'Not Found', 'type': 'ERROR'}]
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 45, in deployManagerInputs
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: uri, sessionKey=session_key, method='POST')
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/
init.py", line 550, in simpleRequest
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: raise splunk.ResourceNotFound(uri, extendedMessages=extractMessages(body))
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: ResourceNotFound: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/DA-ESS-ThreatIntelligence/data/inputs/threat_intelligence_m...; [{'code': None, 'text': 'Not Found', 'type': 'ERROR'}]
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Error retrieving manager inputs to deploy
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: ('Error enabling the %s modular input', u'threat_intelligence_manager://da_ess_threat_default')
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 57, in deployManagerInputs
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: raise Exception('Error enabling the %s modular input', name)
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Exception: ('Error enabling the %s modular input', u'threat_intelligence_manager://da_ess_threat_default')
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr:
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py", line 209, in do_install
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: output = fn(session_key, True)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 54, in wrapper
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: r = f(self, *args, **kwargs)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 539, in stage_postinstall
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: self._postinstall(session_key)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 303, in _postinstall
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: raise InstallException(str(e))
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: InstallException: Error retrieving manager inputs to deploy
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: postinstall failed.
11-06-2019 14:08:30.226 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=PREVIEW
11-06-2019 14:08:30.235 INFO ReducePhaseExecutor - Ending phase_1
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.235 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='admin
adminSplunkEnterpriseSecuritySuite_RMD55ec2a61538835c15_1573070873.9', username='admin')
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.239 INFO UserManager - Unwound user context: admin -> NULL

0 Karma
1 Solution

barry
Explorer

I found out the issue.
ES needs to be installed on Splunk Enterprise 7.3.2 and above. Mine was 7.3.1.
When I updated, the installation occurred smoothly.

View solution in original post

0 Karma

Naybour
Engager

I was getting a similar error when configuring ES. When searching for it I could only find this post. So for anyone with the same error, make sure that the user has the "ess_admin" role.

The error was:

Error in 'essinstall' command: postinstall failed - Error retrieving manager inputs to deploy

croesus
Engager

Thanks @Naybour!

...and if you're logged in as the admin user, don't assign "ess_admin" to the user because you'll get an error saying it is not grantable. Instead add "ess_admin" to the "admin" role. See https://answers.splunk.com/answers/671058/i-cant-assign-can-delete-to-default-user-admin.html
(can't seem to get links in comments to work - sorry!)

0 Karma

barry
Explorer

I found out the issue.
ES needs to be installed on Splunk Enterprise 7.3.2 and above. Mine was 7.3.1.
When I updated, the installation occurred smoothly.

0 Karma

fernanlee
Path Finder

Yeah, thats the issue... good luck!

0 Karma

fernanlee
Path Finder

Wich versión of Splunk Enterprise are you using for ES deployment?

0 Karma

barry
Explorer

Splunk Version: 7.3.1
Build: bd63e13aa157
ES Version: 6.0.0

0 Karma

jpdubose
Explorer

Is your Enterprise Security search head managed by a deployment server? If so, stop the ES splunk instance, move the deployment client config file to keep it off the deployment server and then start splunk back up and try the ES config again.

0 Karma

barry
Explorer

Nope, ES is not managed by deployment server.
I have a single server running everything, Forwarder, Indexer and search head.
I just installed ES plugin from importing the file.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...