Splunk Enterprise Security

Splunk Enterprise Security: Post-install configuration receiving error message

rvaldes
New Member

I am trying to install Splunk ES v 5.3.1 on Red Hat Enterprise Linux Server release 7.6.
& Splunk Enterprise 7.2.5 We have one search head, one indexer, two HF and some other UF.
All indexes are hosted in the indexer. I am trying to install the ES on the SH, but the
configuration process ends with an error message in the "Conducting post-install actions"
phase. The search.log shows the following:

09-19-2019 10:18:34.798 INFO  ChunkedExternProcessor - stderr: STAGE STARTING: "postinstall"
09-19-2019 10:18:37.944 INFO  ChunkedExternProcessor - stderr: Skipping action for the app_permissions_manager://enforce_es_permissions modular input (may already be enabled)
09-19-2019 10:18:37.944 INFO  ChunkedExternProcessor - stderr: Skipping action for the configuration_check://confcheck_es_identity_correlation modular input (may already be enabled)
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr: Error enabling the dm_accel_settings://Application_State modular input: 
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr: 
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr:   
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr:     This handler does not support object enabling
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr:   
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr: 
09-19-2019 10:18:38.070 ERROR ChunkedExternProcessor - stderr: Error enabling the dm_accel_settings://Application_State modular input
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr: ('Error enabling the %s modular input: %s', u'dm_accel_settings://Application_State', '\n\n  \n    This handler does not support object enabling\n  \n\n')
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 52, in deployManagerInputs
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr:     raise Exception('Error enabling the %s modular input: %s', name, c)
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr: Exception: ('Error enabling the %s modular input: %s', u'dm_accel_settings://Application_State', '\n\n  \n    This handler does not support object enabling\n  \n\n')
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr: Error retrieving manager inputs to deploy
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr: ('Error enabling the %s modular input', u'dm_accel_settings://Application_State')
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 57, in deployManagerInputs
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr:     raise Exception('Error enabling the %s modular input', name)
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr: Exception: ('Error enabling the %s modular input', u'dm_accel_settings://Application_State')
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr: 
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py", line 171, in do_install
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:     output = fn(session_key, True)
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 54, in wrapper
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:     r = f(self, *args, **kwargs)
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 532, in stage_postinstall
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:     self._postinstall(session_key)
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 305, in _postinstall
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:     raise InstallException(str(e))
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr: InstallException: Error retrieving manager inputs to deploy
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr: postinstall failed.
09-19-2019 10:18:38.174 INFO  ReducePhaseExecutor - ReducePhaseExecutor=1 action=PREVIEW
09-19-2019 10:18:38.389 INFO  ReducePhaseExecutor - Ending phase_1
09-19-2019 10:18:38.389 INFO  UserManager - Unwound user context: admin -> NULL
09-19-2019 10:18:38.391 INFO  DispatchStorageManager - Remote storage disabled for search artifacts.
09-19-2019 10:18:38.391 INFO  DispatchManager - DispatchManager::dispatchHasFinished(id='admin__admin__SplunkEnterpriseSecuritySuite__RMD5f59f452b9fca28e2_1568905910.67201', username='admin')
09-19-2019 10:18:38.411 INFO  UserManager - Unwound user context: admin -> NULL
09-19-2019 10:18:38.477 INFO  UserManager - Unwound user context: admin -> NULL
09-19-2019 10:18:38.483 INFO  PipelineComponent - Process delayed by 406.802 seconds, perhaps system was suspended?

Could someone help me? Does anyone have any ideas?

P.S. previously I installed ES without any problem but it was in a single server environment.

0 Karma

edoardo_vicendo
Contributor

I faced the same issue during Splunk ES upgrade in a test environment with a machine having few resources (8 CPU 8GB RAM).
We have solved the problem increasing the resources to (16 CPU and 16GB RAM).

Even with increased resources we hit 1 timeout, clicking again to restart the process it then finalized the installation.
I believe that if it wouldn't have worked I would have followed the solution proposed by @jwelch_splunk adding the ess_admin (I mean I even tried that but if I add the ess_admin, after saving it show I have the power role instead)

0 Karma

shivanshu1593
Builder

Your earlier H/W resources were less than the minimum requirements for ES. I think even after adding the ess_admin role, it wouldn't have worked.

https://docs.splunk.com/Documentation/ES/6.1.1/Install/DeploymentPlanning

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

rvaldes
New Member

Hi every one. My solution was install a previous version (5.3.0 ). The installation went smoothly. To date, i haven't tried an update.
Greetings from this side of the reality.

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Make sure the user that is doing the Setup portion / Install has ess_admin and re-run

0 Karma

dgregd
New Member

Thanks a lot, is solved my issue !

0 Karma

dgregd
New Member

Hello,
I have the exact same problem on my lab.
Did anyone solved this ?
Splunk verison 7.3.2
Single server environment.
Thank you,

Greg

0 Karma

tony_alibelli
New Member

Hi i have the issue on one client
Have you got any solution ?
Regardsd

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

What does the essinstaller2.log say in /opt/splunk/var/log/splunk?

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...