Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

KV store termination issue frequently

uagraw01
Motivator
‎02-10-2025 08:31 AM

Dear Splunkers!!

Following the migration of our Splunk server from version 8.1.1 to 9.1.1, we have encountered persistent KV Store failures. The service terminates unexpectedly multiple times post-migration.



Issue Summary:

  • As a workaround, I renewed the server.pem certificate and rebuilt the MongoDB folder.
  • This temporarily resolves the issue, and KV Store starts working as expected.
  • However, the corruption reoccurs the following day, requiring the same manual interventions.

Request for Permanent Resolution:

I seek a permanent fix to prevent KV Store from repeatedly failing. Kindly provide insights into the root cause and recommend a robust solution to ensure KV Store stability post-migration.

Looking forward to your expert guidance.

0 Karma
Reply

uagraw01
Motivator
‎02-18-2025 05:30 AM

@livehybrid  For your information. I have changed the kvstore port from 8191 to 8192 and its start working properly since then.

0 Karma
Reply

anhduc2901
New Member
‎06-25-2025 08:38 PM

@uagraw01 how you change the port ? i mean when i reconf in /splunk/etc/system/local/server.conf with port = 8192 under stanza [kvstore] then the kvstore cant be enable anymore (status = failed) 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-10-2025 08:44 AM

Hi @uagraw01 

Are there any mongo/kvstore logs in $SPLUNK_HOME/var/log/splunk/splunkd.log or mongod.log with any error/critical/fatal or maybe even warning messages?

What process did you take to rebuild the mongoDB folder?

Thanks, hopefully we can help get to the bottom of it!

0 Karma
Reply

uagraw01
Motivator
‎02-10-2025 09:36 AM

I just removed complete kvstore folder from "/opt/splunk/var/lib/splunk/" after taking the backup and restart the splunk services.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...