Splunk Enterprise

What is happening in Splunk Enterprise V9.1.0.1 ?

apietersen
Contributor

RE: Case #3270697 After upgrade to 9.1.01 not able to send emails eg. of critical alerts! [ ref:_00D409oyL._5005a2bGRKI:ref ]

After upgrade to v9.1.0.1 Splunk Enterprise, (single instance), last weekend (15 Juli 2023) + changing admin password as was suggested by Assist (which throws an error now !?)

1) Message when using sendemail:

apietersen_0-1689859493539.png

Smpt setting: O365

apietersen_1-1689855102470.png

Checked the login on O365, ofcourse


2) Assist stopped running???

apietersen_2-1689855102473.png

 


3) Also:

3a

apietersen_3-1689855102483.png

3b

apietersen_0-1689863439907.png

 


4) new GUI / layout ?

apietersen_4-1689855102484.png

 

5) Annoying and not working “Don’t show this again” message on every page. Just stepping to another dashboard on the same server/domain ?? 

apietersen_5-1689855102489.png

6) endless waiting:

apietersen_0-1689860492567.png

 

What is next?

Anyone else suffering from the same issues?

Labels (2)
0 Karma
1 Solution

apietersen
Contributor

Last week v9.1.2 has been released. (6 nov 2023, I think it was)

After installing this version on my test instance (v9.1.1) everytyhing seems to work again including sendemail - no issues found. Great! 👍

After installing this version several days later on our production instance (9.1.0.2) also sendemail was working fine again. Great! 👍

NB. after that I was also able to fix all other issues on our production instance as mentioned before in this post, like: kvstore, secure gateway etc Great! 👍

Many thanks to support- and development team. I am now happy splunking again! 👍👍 😀

I hereby close this post.

View solution in original post

0 Karma

apietersen
Contributor

Last week v9.1.2 has been released. (6 nov 2023, I think it was)

After installing this version on my test instance (v9.1.1) everytyhing seems to work again including sendemail - no issues found. Great! 👍

After installing this version several days later on our production instance (9.1.0.2) also sendemail was working fine again. Great! 👍

NB. after that I was also able to fix all other issues on our production instance as mentioned before in this post, like: kvstore, secure gateway etc Great! 👍

Many thanks to support- and development team. I am now happy splunking again! 👍👍 😀

I hereby close this post.

0 Karma

nioann
Engager

I had the same issue with sending emails. I was able to resolve it by replacing the sendemail.py file in $SPLUNKetc\apps\search\bin, with an older version of sendemail.py. I still have the issue with endless loading on settings pages. How were you able to resolve this?

0 Karma

apietersen
Contributor

Did you upgrade to v9.1.2 already?  If so, I suggest you create a ticket at support.

The replacing was a temp work-around solution for us from v9.1.0.2.

On our test server I was curious if this work-around would still work on v9.1.1 - It did not !
So I decide to wait for the release of v9.1.2. 

After the release I first tested on our test server and had no problem any more with sending email. 
After some days we upgraded to V9.1.2 on our production machine.

Nb. Both our servers are running Windows 2019, and now both are on Splunk Enterprise v9.1.2 without problems so far.

nioann
Engager

Will do. Thanks for the response.

0 Karma

apietersen
Contributor

Update: support reported the email issue has changed prority from P2 to P3
All other issues mentioned in this post: no solution found yet

0 Karma

wskinner
Engager

Did you ever get a resolution? @apietersen ? Upgraded to 9.1.1 from 9.0.5 and saw that email alerts ceased.  I'm getting a similar message to you

0 Karma

apietersen
Contributor

response from support / development: (last week) and now testing,
worked and looks good sofar

temporary workaround:

--=-=--=-=-=-==-=-sendmail.py-=--=-=-=-=--
Do you have a test instance to check the one parameter?

We got an update from the developer team, to check the below parameter,
open the file SPLUNK_HOME/etc/apps/search/bin/sendemail.py
and you would find (approx line number 1571):

clear_password = cli_common.decrypt(encrypted_password, setEnv=True)
The setEnv flag needs to be modified from True to False, restart Splunk, and then check if the problem is resolved.

Note: Try with your test instance.

As the setEnv flag needs to be modified from True to False will be considered a temporary workaround for this issue. In the next release version 9.1.2, It will be fixed completely.

-=-=-=-=-=---=-icon-=-=-=-=--=

Additionally, the "loading" icon got stuck issue also will be fixed in version 9.1.2.

-=-=--=-=

regards AP 
@wskinner @isoutamo 

wskinner
Engager

this worked - thanks.  lol I was looking for the differences between the previous versions of sendemail.  I was hoping that 9.1.2 would have gotten deployed sooner than later, but this will work until then.

0 Karma

O815163
Loves-to-Learn Lots

replacing sendemail.py worked for me as well.

linking related post: https://community.splunk.com/t5/Other-Usage/Why-is-Splunk-send-email-function-not-working-version-9-...

0 Karma

apietersen
Contributor

Looking back:
v9.0.4.x no issues noticed
v9.0.5.x noticed KVStore issues 
v9.1.0.1 noticed all sort of issue including not working 'sendemail'  (upgraded as I had hoped/assumed to be fixed)
v9.1.0.2 still the same issues + new strange behaviour : only reading 3 columns from any csv file (upgraded as I hoped/assumed to be fixed)

Nb. Have a zoom meeting with Splunk support later this afternoon

thanks

Reminder: running on Windows 2019 standard,  Xeon CPU, 16 cores, 64Gb , 2Tb ssd

0 Karma

apietersen
Contributor

Update 09-aug: the second remote zoom on monday 7-aug meeting did not results in any solution sofar unfortunately. All issues are still under investigation by support and developement, so I understand.

thanks

0 Karma

apietersen
Contributor

After the upgrade to v9.1.0.2, last weekend - hoping and assuming some issues were adressed and fixed, as noted in this post, now another issue arised, which make our production-instance even more unreliable.

When using an siimple '| inputlookup email.csv' search it only show 3 columns !  On our fresh build test-server with instance v91.0.2 the same serahc produce the correct number of columns.

Has somebody experinced this same issue or have a glue why or have a tip. Or what do I miss here?

By the way. the sendemail did not work either after upgrade to v91.0.2, after restoring an sendemail.py file from backup v9.0.4 (as I described in this post  earlier sendemail was working again, for now. But what is next! 😞 

Nb. Sorry, I really think Splunk should pay more attention to testing and quality control before releasing new versions. 

thanks

0 Karma

apietersen
Contributor

update: after upgrade to Splunk Enterprise v9.1.0.2 , "sendemail" issue still exist.  

0 Karma

apietersen
Contributor

Update:

SORRY, AT THE MOMENT NOT MUCH HAPPY SPLUNKING HERE

WE RUN A 2nd Splunk Enterprise server (FOR TEST/DEV etc) and most issue mentioned below shows on both machines….

Nb. A week before we upgraded our production machine we installed v9.0.1 on our test-server and we only noticed point 5 and 6 but were not alarmed by the things that would come later after we decided to go forward. It came to our attention after we did not see any Alerts and other emails were send.

After upgrade to v9.1.0.1 Splunk Enterprise, (single instance), last weekend (15 Juli 2023) + changing admin password as was suggested by Assist (which throws an error today / now !?)

1) Message when using sendemail:

apietersen_0-1690184161455.png


Smpt setting: O365

apietersen_1-1690184161456.png

 

Checked the login on O365, ofcourse

ITEM 1 IS STILL NOT SOLVED


2) Assist stopped running???

apietersen_2-1690184161470.png

ITEM 2 IS STILL NOT SOLVED


3) Also issue with:

3a

apietersen_3-1690184161473.png

3b -after restart:

apietersen_4-1690184161481.png

 ITEM  3a and 3b IS STILL NOT SOLVED


4) new GUI / layout ?

apietersen_5-1690184161483.png

 ITEM  4 IS NOT ANSWERED YET


5) Annoying and not working “Don’t show this again” message on every page. Just stepping to another dashboard on the same server/domain ?? 

apietersen_6-1690184161485.png

 ITEM 5 HAS BEEN SOLVED


6) endless waiting:

apietersen_7-1690184161486.png

 

 

apietersen_8-1690184161487.png

 

 ITEM  6 IS STILL NOT SOLVED – ANY CONFIG CHANGED IN WEB GUI IS NOT WORKING AND ANY CONFIG PAGE KEEPS HANGING. "Loading"


 

 

 

 

0 Karma

apietersen
Contributor

Thanks I will check...

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

based on that kvstore/mongodb message I suspect that mongoldb is not running? You could check it's status by 

splunk show kvstore-status --verbose

If it's not up and running you you'd found there reason from $SPLUNK_HOME/var/log/splunk/mongod.log  

Probably most common reason for "not running kvstore/mongod" is expired TLS certificate.

r. Ismo

apietersen
Contributor

Hi isoutamo

I ran the kwstore diag, as admin: 
apietersen_0-1690006566891.png

  • not sure if this is TLS related?
  • also do not understand why I should have TLS enabled to acces to something running on the same single server/Splunk Enterprise instance?
  • where can I disable this in conf file?
  • or how to renwe cert??



thanks

 

0 Karma

apietersen
Contributor

mongod.log shows:

 

2023-07-21T21:14:54.507+0200 W CONTROL [main] Option: sslMode is deprecated. Please use tlsMode instead.
2023-07-21T21:14:54.508+0200 W CONTROL [main] Option: sslCipherConfig is deprecated. Please use tlsCipherConfig instead.
2023-07-21T21:14:54.508+0200 W CONTROL [main] Option: sslAllowConnectionsWithoutCertificates is deprecated. Please use tlsAllowConnectionsWithoutCertificates instead.
2023-07-21T21:14:54.508+0200 W CONTROL [main] Option: sslAllowInvalidHostnames is deprecated. Please use tlsAllowInvalidHostnames instead.
2023-07-21T21:14:54.508+0200 W CONTROL [main] Option: sslAllowInvalidCertificates is deprecated. Please use tlsAllowInvalidCertificates instead.
2023-07-21T21:14:54.508+0200 W CONTROL [main] Option: sslCertificateSelector is deprecated. Please use tlsCertificateSelector instead.
2023-07-21T19:14:54.513Z W CONTROL [main] net.tls.tlsCipherConfig is deprecated. It will be removed in a future release.
2023-07-21T19:14:54.528Z W NETWORK [main] sslCipherConfig parameter is not supported with Windows SChannel and is ignored.
2023-07-21T19:14:54.529Z W NETWORK [main] sslCipherConfig parameter is not supported with Windows SChannel and is ignored.
2023-07-21T19:14:54.529Z F NETWORK [main] The provided SSL certificate is expired or not yet valid.
2023-07-21T19:14:54.529Z F - [main] Fatal Assertion 50755 at src\mongo\util\net\ssl_manager_windows.cpp 1609
2023-07-21T19:14:54.529Z F - [main] \n\n***aborting after fassert() failure\n\n

 

  • Where and what can I change to get it working again or ignore these TLS SSL and/expired messages?
  • Where to renew these "indoor"  TLS certs  (self-signed cert I assume and hope) ?

Splunk.log shows:

07-22-2023 11:05:55.181 +0200 WARN  SearchOperator:kv [13064 SchedulerThread] - Could not find a transform named REPORT-USPS-OFFLINE-CSV
07-22-2023 11:05:55.181 +0200 WARN  SearchOperator:kv [13064 SchedulerThread] - Could not find a transform named REPORT-Camera1
07-22-2023 11:05:55.181 +0200 WARN  SearchOperator:kv [13064 SchedulerThread] - Could not find a transform named REPORT-usps-off4
07-22-2023 11:05:55.181 +0200 WARN  SearchOperator:kv [13064 SchedulerThread] - Could not find a transform named REPORT-USPS-OFFLINE-CSV
07-22-2023 11:05:55.181 +0200 WARN  SearchOperator:kv [13064 SchedulerThread] - Could not find a transform named REPORT-usps-off4
07-22-2023 11:05:55.181 +0200 WARN  SearchOperator:kv [13064 SchedulerThread] - Could not find a transform named REPORT-USPS-OFFLINE-CSV
07-22-2023 11:05:55.181 +0200 WARN  SearchOperator:kv [13064 SchedulerThread] - Could not find a transform named REPORT-Camera1
07-22-2023 11:05:55.213 +0200 INFO  NoahSearchPeerFetcher [13064 SchedulerThread] - Fetch requested. sid=scheduler__nobody__search__RMD5883a9bd5121d9759_at_1690016700_59 use_cache=1
07-22-2023 11:06:00.268 +0200 INFO  ExecProcessor [10852 ExecProcessor] - setting reschedule_ms=59732, for command="D:\Program Files\Splunk\bin\Python3.exe" "D:\Program Files\Splunk\etc\apps\search\bin\quarantine_files.py"



Thanks

0 Karma

isoutamo
SplunkTrust
SplunkTrust

As it said your tls/ssl cert has expired you need to renew it. 
If you are using Splunk’s default certs (you shouldn’t), just remove/rename old certificate file and restart splunk. That will generate a new one. If you are using official from some cert authority or your own, then you must get a new from there and replace current with that.

You could check that e.g. with command 

openssl x509 -in mycert.pem -text -noout

This told the validity and who has guaranteed it. 

0 Karma

apietersen
Contributor

sorry, both on test-server and on production server shows:

apietersen_0-1690207839243.png

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...