Hi folks,
I'm trying to install newly released Splunk ES 6.0, but it keeps on failing during the "post installation checks" module (in web UI ES App setup)
I tried multiple time but got the same result.
Any idea why this is happening ?
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 539, in stage_postinstall
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: self.postinstall(session_key)
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 303, in _postinstall
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: raise InstallException(str(e))
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: InstallException: Error retrieving manager inputs to deploy
10-31-2019 13:57:50.541 ERROR ChunkedExternProcessor - stderr: postinstall failed.
10-31-2019 13:57:50.547 INFO ReducePhaseExecutor - Ending phase_1
10-31-2019 13:57:50.547 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.547 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='adminadminSplunkEnterpriseSecuritySuite_RMD5ba60899908b7f811_1572544503.5', username='admin')
10-31-2019 13:57:50.549 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.552 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.555 INFO UserManager - Unwound user context: admin -> NULL
10-31-2019 13:57:50.555 INFO PipelineComponent - Process delayed by 165.915 seconds, perhaps system was suspended?
I'm seeing postinstall failure as well. The error logs are a little different from ssattler's though.
I'm running Splunk 7.3 and it's a new installation of ES. My server has 16 cores and 48GB memory.
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Error enabling the threat_intelligence_manager://da_ess_threat_default modular input
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/DA-ESS-ThreatIntelligence/data/inputs/threat_intelligence_m...; [{'code': None, 'text': 'Not Found', 'type': 'ERROR'}]
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 45, in deployManagerInputs
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: uri, sessionKey=session_key, method='POST')
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/init.py", line 550, in simpleRequest
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: raise splunk.ResourceNotFound(uri, extendedMessages=extractMessages(body))
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: ResourceNotFound: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/DA-ESS-ThreatIntelligence/data/inputs/threat_intelligence_m...; [{'code': None, 'text': 'Not Found', 'type': 'ERROR'}]
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Error retrieving manager inputs to deploy
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: ('Error enabling the %s modular input', u'threat_intelligence_manager://da_ess_threat_default')
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 57, in deployManagerInputs
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: raise Exception('Error enabling the %s modular input', name)
11-06-2019 14:08:30.223 ERROR ChunkedExternProcessor - stderr: Exception: ('Error enabling the %s modular input', u'threat_intelligence_manager://da_ess_threat_default')
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr:
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py", line 209, in do_install
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: output = fn(session_key, True)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 54, in wrapper
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: r = f(self, *args, **kwargs)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 539, in stage_postinstall
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: self.postinstall(session_key)
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 303, in _postinstall
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: raise InstallException(str(e))
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: InstallException: Error retrieving manager inputs to deploy
11-06-2019 14:08:30.224 ERROR ChunkedExternProcessor - stderr: postinstall failed.
11-06-2019 14:08:30.226 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=PREVIEW
11-06-2019 14:08:30.235 INFO ReducePhaseExecutor - Ending phase_1
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.235 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='adminadminSplunkEnterpriseSecuritySuite_RMD55ec2a61538835c15_1573070873.9', username='admin')
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.235 INFO UserManager - Unwound user context: admin -> NULL
11-06-2019 14:08:30.239 INFO UserManager - Unwound user context: admin -> NULL
Clean install of OS and Clean Install of Splunk
What version of Splunk Enterprise? Just b/c it's clean doesn't indicate what version you are trying to install ES 6.0 on.
Also, as far as I can tell, there was an issue retrieving the session key during the install process. It may mean the install took a very long amount of time and the session key became invalid. The install process should be pretty quick, was it left alone for a while before or after you selected what TAs you wanted to install?
Is this an upgrade or net-new ES install? What version of Splunk Enterprise?
You can always check the _internal logs, as Splunk logs the upgrade in $SPLUNKHOME$/var/log/splunk/essinstaller2.log, so youc an search something like
index=_internal source=*/essinstaller2.log