Splunk Enterprise Security
Highlighted

Why is the Splunk Enterprise Security "Content Management" screen blank on 6.5.0 search head cluster members after upgrade to ES 4.5.0?

Contributor

Hi,

We recently deployed ES Version 4.5.0 via Deployer to the Search Head Cluster. While testing on a stand-alone server, we can see the correlations being loaded under Configure -> Content Management, but for both SH cluster members, this screen is blank. Splunk Enterprise version is 6.5.0. Earlier, with ES 4.1.2, we were able to load the correlations on both members.

Is this by design for SHC, or did something go wrong during the deployment? I did verify that all necessary Apps/Add-on are on 4.5.0 on both Cluster members. Here is a screenshot:

alt text

Thanks,

~ Abhi

0 Karma
Highlighted

Re: Why is the Splunk Enterprise Security "Content Management" screen blank on 6.5.0 search head cluster members after upgrade to ES 4.5.0?

Splunk Employee
Splunk Employee

Good morning. I suspect the upgrade process messed up somewhere, and you're seeing the effects of one app (a DA or SA) that's only partially complete. As noted in the ES docs for upgrading on a SHC, all of the upgrade work has to be done on a staging instance, and the resulting upgraded ES app structure (DA, SA, TA, and Add-ons) moved over to the deployer for deployment to SHC nodes. I don't see a Known Issue that matches your symptoms.

Highlighted

Re: Why is the Splunk Enterprise Security "Content Management" screen blank on 6.5.0 search head cluster members after upgrade to ES 4.5.0?

Contributor

Thanks ekost.

We did the upgrade on a stand-alone server and moved the DA/SA's over to the deployer for final cluster deployment.

Looks like this issue is only on member # 1. On this particular member, content management screen is blank. Also, "Indicators of Compromise" do not load either.
Whereas, on cluster member # 2, both these items are loading correctly.

Since we only used deployer to push these apps, I am not sure why only one member works as expected and other is having issues. Any advise?

So far, other panels are loading fine on both and I could only identify these two items not loading on member # 1.( Indicators of Compromise under security posture and Content Management)

Thanks,

~ Abhi

0 Karma
Highlighted

Re: Why is the Splunk Enterprise Security "Content Management" screen blank on 6.5.0 search head cluster members after upgrade to ES 4.5.0?

Contributor

This got resolved by itself. I am not sure if a replication was still in progress which was causing differences between the two members, but now "Indicators" and "Content Management, both are loading on Cluster member # 1.

Thanks,

~ Abhi

View solution in original post

0 Karma