Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Entreprise Max Upload issue

fedayn05
Engager
a week ago

Hello Folks,

I am currently using Splunk Entreprise10.0.0 on ubuntu , I am trying to upload an app manually but it told me that the max upload is 512 Mb , i changed the value in web.conf to from 500 to 2000 , restart the service. 

I run : /opt/splunk/bin/splunk btool web list settings | grep max_upload , and it returns max_upload_size = 2000 .

But when i try uploading again , it gives me the same error. Any idea plese.

Thank you in advance for your help

Labels (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a week ago

Okay @fedayn05 

Ive been down a rabbit hole on this one and found that the 512mb limit is hard-coded in the UI component in >= 10.0.0

livehybrid_0-1760989307640.png

I was testing uploading of ES 8.x on a local Splunk 10.0.1 install and found the same issue you had which led me to this. 

Are you also trying to install ES8? I discovered SPL-282727 which relates to ES8 not being installable via the Web UI in Splunk 10.x (See  https://help.splunk.com/en/splunk-enterprise-security-8/release-notes-and-resources/8.2/splunk-enter... ) and https://help.splunk.com/en/splunk-enterprise-security-8/release-notes-and-resources/8.2/splunk-enter... also states 

You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line.

So the bottom line is that this is a bug - whilst the above is specific to Enterprise Security, even if you arent trying to install ES8 I believe you will be hitting the same issue.

Hopefully this will be resolved soon but in the meantime please install your app a via the CLI.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

fedayn05
Engager
Monday

Hello,

Thank you so much for your response and efforts, this really helped me as i thought the issue ewas on my side but it was a bug after all.

I am planning to go the 9.4 version, do you have any guide by chance on howe to switch from Splunk Etreprise 10.x to 9.4.

Thank you for you response once again .

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Monday

There is no official/supported way of downgrading your Splunk Enterprise environment.

You _might_ get away with doing a backup of your runtime data and local configs, razing your environment completely, installing lower version and restoring the backup but it is a relatively risky process (and of course if you have a distributed environment you'd have to do the downgrades in the opposite order from your upgrades). But noone will guarantee that it will not destroy your setup. Especially since you want to downgrade over big version.

0 Karma
Reply

fedayn05
Engager
Monday

Hello,

Can I then deploy another VM , install the intended Splunk version , then detach the disk from the old Splunk and attach it to the new one.

May this work ?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Monday

Depends on what you mean by "disk". Data? Config? Generally this boils more or less to "install and restore config/data" and will have more or less the same result.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a week ago

Hi @fedayn05 

This is very odd, if you've run 

/opt/splunk/bin/splunk btool web list settings | grep max_upload_size

then it would confirm that it the max_upload_size is in the correct stanza (settings) in the correct file (web.conf) and its not commented out or mis-spelt.

Just to check  - its just plain-old 2000 right? not 2000MB or 2000mb

Can I also confirm that you are running Splunk on Linux? 

Which version are you on? 

Im suspecting there may be an issue with 10.0.x here but trying to rule things out. Also - the default is 500 not 512 so makes me wonder if there is another setting somewhere?? 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

What is your environment? Are you sure you're changing the settings on the right component? (yes I know it's a very basic question but sometimes we miss the obvious)

0 Karma
Reply

vjdev
Path Finder
a week ago

Hello,

1. Verifiy the configuration web.conf


[settings]
max_upload_size = 2000

2. Restart Splunk

3. Verify configuration in the memory

/opt/splunk/bin/splunk show config web | grep max_upload_size

4. Try upload the file Now.

Thank you!

0 Karma
Reply

fedayn05
Engager
a week ago

Hello vjdev,

1- The web.conf returns : max_upload_size = 2000

2- i did restart splunk (both via CLI and GUI)

3- i run this /opt/splunk/bin/splunk show config web | grep max_upload_size and it returns max_upload_size = 2000

So i really do not know if this is a bug or another config somewhere is overatting the web.conf file

 

Thank you for your response

0 Karma
Reply

fedayn05
Engager
a week ago

Hello,

Thaank you for your response , the  size of the app is around 800mb , i just set 2000mb as a choice , the error was " Upload failed: Package is too large, must be less than 512 MB",

I tried to see if an error is produced on splnkd.log , but nothing got out of it .

Thank you

 
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a week ago

Hi @fedayn05 

Can you please confirm the size of the app your are trying to install? Its definitely smaller than 2000mb right? 

What is the specific error returned? Is there also a more detailed error in $SPLUNK_HOME/var/log/splunk/splunkd.log ?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Machine Learning - Assisted Adaptive Thresholding

Let’s talk thresholding. Have you set up static thresholds? Tired of static thresholds triggering false ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...