Splunk Enterprise Security

Splunk ES 6.0 installation fails

premforsplunk
Explorer

Hi folks,
I'm trying to install newly released Splunk ES 6.0, but it keeps on failing during the "post installation checks" module (in web UI ES App setup)

I tried multiple time but got the same result.

Any idea why this is happening ?

ssattler
Path Finder

10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 539, in stage_postinstall
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: self.postinstall(session_key)
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 303, in _postinstall
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: raise InstallException(str(e))
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: InstallException: Error retrieving manager inputs to deploy
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: postinstall failed.
10-31-2019 13:57:50.547 INFO ReducePhaseExecutor - Ending phase_1
10-31-2019 13:57:50.547 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.547 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='admin
adminSplunkEnterpriseSecuritySuite_RMD5ba60899908b7f811_1572544503.5', username='admin')
10-31-2019 13:57:50.549 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.555 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.555 INFO PipelineComponent - Process delayed by 165.915 seconds, perhaps system was suspended?

0 Karma

barry
Explorer

I'm seeing postinstall failure as well. The error logs are a little different from ssattler's though.

I'm running Splunk 7.3 and it's a new installation of ES. My server has 16 cores and 48GB memory.

11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Error enabling the threat_intelligence_manager://da_ess_threat_default modular input
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/DA-ESS-ThreatIntelligence/data/inputs/threat_intelligence_m...; [{'code': None, 'text': 'Not Found', 'type': 'ERROR'}]
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 45, in deployManagerInputs
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: uri, sessionKey=session_key, method='POST')
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/init.py", line 550, in simpleRequest
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: raise splunk.ResourceNotFound(uri, extendedMessages=extractMessages(body))
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: ResourceNotFound: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/DA-ESS-ThreatIntelligence/data/inputs/threat_intelligence_m...; [{'code': None, 'text': 'Not Found', 'type': 'ERROR'}]
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Error retrieving manager inputs to deploy
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: ('Error enabling the %s modular input', u'threat_intelligence_manager://da_ess_threat_default')
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 57, in deployManagerInputs
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: raise Exception('Error enabling the %s modular input', name)
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Exception: ('Error enabling the %s modular input', u'threat_intelligence_manager://da_ess_threat_default')
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr:
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py", line 209, in do_install
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: output = fn(session_key, True)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 54, in wrapper
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: r = f(self, *args, **kwargs)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 539, in stage_postinstall
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: self.postinstall(session_key)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 303, in _postinstall
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: raise InstallException(str(e))
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: InstallException: Error retrieving manager inputs to deploy
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: postinstall failed.
11-06-2019 14:08:30.226 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=PREVIEW
11-06-2019 14:08:30.235 INFO ReducePhaseExecutor - Ending phase_1
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.235 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='admin
adminSplunkEnterpriseSecuritySuite_RMD55ec2a61538835c15_1573070873.9', username='admin')
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.239 INFO UserManager - Unwound user context: admin -> NULL

0 Karma

ssattler
Path Finder

Clean install of OS and Clean Install of Splunk

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

What version of Splunk Enterprise? Just b/c it's clean doesn't indicate what version you are trying to install ES 6.0 on.
Also, as far as I can tell, there was an issue retrieving the session key during the install process. It may mean the install took a very long amount of time and the session key became invalid. The install process should be pretty quick, was it left alone for a while before or after you selected what TAs you wanted to install?

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Is this an upgrade or net-new ES install? What version of Splunk Enterprise?
You can always check the _internal logs, as Splunk logs the upgrade in $SPLUNKHOME$/var/log/splunk/essinstaller2.log, so youc an search something like
index=_internal source=*/essinstaller2.log

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!