Splunk Enterprise Security

Splunk Enterprise Security: Post-install configuration receiving error message

rvaldes
New Member

I am trying to install Splunk ES v 5.3.1 on Red Hat Enterprise Linux Server release 7.6.
& Splunk Enterprise 7.2.5 We have one search head, one indexer, two HF and some other UF.
All indexes are hosted in the indexer. I am trying to install the ES on the SH, but the
configuration process ends with an error message in the "Conducting post-install actions"
phase. The search.log shows the following:

09-19-2019 10:18:34.798 INFO  ChunkedExternProcessor - stderr: STAGE STARTING: "postinstall"
09-19-2019 10:18:37.944 INFO  ChunkedExternProcessor - stderr: Skipping action for the app_permissions_manager://enforce_es_permissions modular input (may already be enabled)
09-19-2019 10:18:37.944 INFO  ChunkedExternProcessor - stderr: Skipping action for the configuration_check://confcheck_es_identity_correlation modular input (may already be enabled)
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr: Error enabling the dm_accel_settings://Application_State modular input: 
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr: 
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr:   
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr:     This handler does not support object enabling
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr:   
09-19-2019 10:18:38.069 ERROR ChunkedExternProcessor - stderr: 
09-19-2019 10:18:38.070 ERROR ChunkedExternProcessor - stderr: Error enabling the dm_accel_settings://Application_State modular input
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr: ('Error enabling the %s modular input: %s', u'dm_accel_settings://Application_State', '\n\n  \n    This handler does not support object enabling\n  \n\n')
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 52, in deployManagerInputs
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr:     raise Exception('Error enabling the %s modular input: %s', name, c)
09-19-2019 10:18:38.073 ERROR ChunkedExternProcessor - stderr: Exception: ('Error enabling the %s modular input: %s', u'dm_accel_settings://Application_State', '\n\n  \n    This handler does not support object enabling\n  \n\n')
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr: Error retrieving manager inputs to deploy
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr: ('Error enabling the %s modular input', u'dm_accel_settings://Application_State')
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/deploy_manager_inputs.py", line 57, in deployManagerInputs
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr:     raise Exception('Error enabling the %s modular input', name)
09-19-2019 10:18:38.075 ERROR ChunkedExternProcessor - stderr: Exception: ('Error enabling the %s modular input', u'dm_accel_settings://Application_State')
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr: 
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/essinstall.py", line 171, in do_install
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:     output = fn(session_key, True)
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 54, in wrapper
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:     r = f(self, *args, **kwargs)
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 532, in stage_postinstall
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:     self._postinstall(session_key)
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:   File "/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py", line 305, in _postinstall
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr:     raise InstallException(str(e))
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr: InstallException: Error retrieving manager inputs to deploy
09-19-2019 10:18:38.084 ERROR ChunkedExternProcessor - stderr: postinstall failed.
09-19-2019 10:18:38.174 INFO  ReducePhaseExecutor - ReducePhaseExecutor=1 action=PREVIEW
09-19-2019 10:18:38.389 INFO  ReducePhaseExecutor - Ending phase_1
09-19-2019 10:18:38.389 INFO  UserManager - Unwound user context: admin -> NULL
09-19-2019 10:18:38.391 INFO  DispatchStorageManager - Remote storage disabled for search artifacts.
09-19-2019 10:18:38.391 INFO  DispatchManager - DispatchManager::dispatchHasFinished(id='admin__admin__SplunkEnterpriseSecuritySuite__RMD5f59f452b9fca28e2_1568905910.67201', username='admin')
09-19-2019 10:18:38.411 INFO  UserManager - Unwound user context: admin -> NULL
09-19-2019 10:18:38.477 INFO  UserManager - Unwound user context: admin -> NULL
09-19-2019 10:18:38.483 INFO  PipelineComponent - Process delayed by 406.802 seconds, perhaps system was suspended?

Could someone help me? Does anyone have any ideas?

P.S. previously I installed ES without any problem but it was in a single server environment.

0 Karma

edoardo_vicendo
Contributor

I faced the same issue during Splunk ES upgrade in a test environment with a machine having few resources (8 CPU 8GB RAM).
We have solved the problem increasing the resources to (16 CPU and 16GB RAM).

Even with increased resources we hit 1 timeout, clicking again to restart the process it then finalized the installation.
I believe that if it wouldn't have worked I would have followed the solution proposed by @jwelch_splunk adding the ess_admin (I mean I even tried that but if I add the ess_admin, after saving it show I have the power role instead)

0 Karma

shivanshu1593
Builder

Your earlier H/W resources were less than the minimum requirements for ES. I think even after adding the ess_admin role, it wouldn't have worked.

https://docs.splunk.com/Documentation/ES/6.1.1/Install/DeploymentPlanning

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

rvaldes
New Member

Hi every one. My solution was install a previous version (5.3.0 ). The installation went smoothly. To date, i haven't tried an update.
Greetings from this side of the reality.

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Make sure the user that is doing the Setup portion / Install has ess_admin and re-run

0 Karma

dgregd
New Member

Thanks a lot, is solved my issue !

0 Karma

dgregd
New Member

Hello,
I have the exact same problem on my lab.
Did anyone solved this ?
Splunk verison 7.3.2
Single server environment.
Thank you,

Greg

0 Karma

tony_alibelli
New Member

Hi i have the issue on one client
Have you got any solution ?
Regardsd

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

What does the essinstaller2.log say in /opt/splunk/var/log/splunk?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...