Splunk Enterprise Security

Why is the Splunk Enterprise Security "Content Management" screen blank on 6.5.0 search head cluster members after upgrade to ES 4.5.0?

att35
Builder

Hi,

We recently deployed ES Version 4.5.0 via Deployer to the Search Head Cluster. While testing on a stand-alone server, we can see the correlations being loaded under Configure -> Content Management, but for both SH cluster members, this screen is blank. Splunk Enterprise version is 6.5.0. Earlier, with ES 4.1.2, we were able to load the correlations on both members.

Is this by design for SHC, or did something go wrong during the deployment? I did verify that all necessary Apps/Add-on are on 4.5.0 on both Cluster members. Here is a screenshot:

alt text

Thanks,

~ Abhi

0 Karma
1 Solution

att35
Builder

This got resolved by itself. I am not sure if a replication was still in progress which was causing differences between the two members, but now "Indicators" and "Content Management, both are loading on Cluster member # 1.

Thanks,

~ Abhi

View solution in original post

0 Karma

att35
Builder

This got resolved by itself. I am not sure if a replication was still in progress which was causing differences between the two members, but now "Indicators" and "Content Management, both are loading on Cluster member # 1.

Thanks,

~ Abhi

0 Karma

ekost
Splunk Employee
Splunk Employee

Good morning. I suspect the upgrade process messed up somewhere, and you're seeing the effects of one app (a DA or SA) that's only partially complete. As noted in the ES docs for upgrading on a SHC, all of the upgrade work has to be done on a staging instance, and the resulting upgraded ES app structure (DA, SA, TA, and Add-ons) moved over to the deployer for deployment to SHC nodes. I don't see a Known Issue that matches your symptoms.

att35
Builder

Thanks ekost.

We did the upgrade on a stand-alone server and moved the DA/SA's over to the deployer for final cluster deployment.

Looks like this issue is only on member # 1. On this particular member, content management screen is blank. Also, "Indicators of Compromise" do not load either.
Whereas, on cluster member # 2, both these items are loading correctly.

Since we only used deployer to push these apps, I am not sure why only one member works as expected and other is having issues. Any advise?

So far, other panels are loading fine on both and I could only identify these two items not loading on member # 1.( Indicators of Compromise under security posture and Content Management)

Thanks,

~ Abhi

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...