Splunk Enterprise Security

Why won't SplunkWeb start after ES was upgraded?

LukeMurphey
Champion

I upgraded ES to version 5.0.0 but SplunkWeb now won't start. I see error messages like this:

2018-02-20 19:13:50,778 ERROR   [5a8cd5a8cd5a8cd5a8cd] root:825 - Unable to start splunkweb
2018-02-20 19:13:50,778 ERROR   [5a8cd5a8cd5a8cd5a8cd] root:826 - cannot import name SplunkLookupTransform
Traceback (most recent call last):
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\root.py", line 102, in <module>
    from controllers.top import *
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\controllers\top.py", line 13, in <module>
    from admin import AdminController
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\controllers\admin.py", line 18, in <module>
    from splunk.appserver.mrsparkle.controllers.appinstall import AppInstallController
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\controllers\appinstall.py", line 12, in <module>
    from splunk.appserver.mrsparkle.lib import cached, module
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\module.py", line 465, in <module>
    moduleMapper = ModuleMapper()
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\module.py", line 79, in __init__
    self.installedModules = self.getInstalledModules()
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\module.py", line 24, in helper
    return f(*a, **kw)
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\module.py", line 448, in getInstalledModules
    mods = self.getModuleList(root)
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\module.py", line 33, in helper
    return f(*a, **kw)
  File "D:\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\module.py", line 219, in getModuleList
    mod = __import__(modname)
  File "D:\Splunk\etc\apps\SA-Utils\appserver\modules\SOLNLookupEditor\SOLNLookupEditor.py", line 25, in <module>
    from SolnCommon.models import SplunkLookupTransform
ImportError: cannot import name SplunkLookupTransform

How do I fix this?

1 Solution

LukeMurphey
Champion

Short version:
Delete the directory $SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor and restart SplunkWeb.

Long version:
This happens because old advanced XML modules from older ES releases are left around. SplunkWeb refuses to start when it encounters a bad advanced XML module. In this case, an old ES module named "SOLNLookupEditor" was left around and is preventing SplunkWeb from running.

ES no longer uses advanced XML modules and thus you can just remove the module.

View solution in original post

greich
Communicator

Slightly different symptoms for me after Splunk 5.0.0 search head cluster upgrade.
Splunkweb starts, and can be verified by netstat and / or a local curl (which returns a 302 redirect).
Would crash on first attempt to open a real web page.

Codes slightly different as well:
root:826 - Unable to start splunkweb
and
root:827 - cannot import name SplunkLookupTransform

Accepted answer worked a charm after I spent several hours banging my head.

0 Karma

jenipherc
Splunk Employee
Splunk Employee

By the way, those messages posted above is from web_service.log

0 Karma

LukeMurphey
Champion

Short version:
Delete the directory $SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor and restart SplunkWeb.

Long version:
This happens because old advanced XML modules from older ES releases are left around. SplunkWeb refuses to start when it encounters a bad advanced XML module. In this case, an old ES module named "SOLNLookupEditor" was left around and is preventing SplunkWeb from running.

ES no longer uses advanced XML modules and thus you can just remove the module.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...