Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is there KVStore failure after upgrade to 9.0?

bigfatyeastroll
Path Finder
‎06-29-2022 08:57 AM

After upgrading to Splunk 9.0 on a single instance, we occasionally get KV Store errors. Splunk KV Store Errors.png

 

CLI status shows:

This member:
backupRestoreStatus : Ready
disabled : 0
featureCompatibilityVersion : An error occurred during the last operation ('getParameter', domain: '15', code: '13053'): No suitable servers found: `serverSelectionTimeoutMS` expired: [connection closed calling ismaster on '127.0.0.1:8191']
guid : E8254C08-B854-426C-B66D-7072D625D0F6
port : 8191
standalone : 1
status : failed
storageEngine : mmapv1

 

I've looked on Splunk.com and googled but haven't found anything on single instances beyond reinstalling 9.0 which I've done twice.

Labels (1)
Labels
Tags (3)
Reply

bigfatyeastroll
Path Finder
‎06-29-2022 09:13 AM

Here are the following tails from the log files:

root@splunk:/opt/splunk/var/log/splunk# tail mongod.log
2022-06-28T19:40:57.749Z F - [main] Fatal Assertion 28652 at src/mongo/util/net/ssl_manager_openssl.cpp 987
2022-06-28T19:40:57.749Z F - [main] \n\n***aborting after fassert() failure\n\n
2022-06-28T20:26:48.752Z W CONTROL [main] net.ssl.sslCipherConfig is deprecated. It will be removed in a future release.
2022-06-28T20:26:48.763Z F NETWORK [main] The provided SSL certificate is expired or not yet valid.
2022-06-28T20:26:48.763Z F - [main] Fatal Assertion 28652 at src/mongo/util/net/ssl_manager_openssl.cpp 987
2022-06-28T20:26:48.763Z F - [main] \n\n***aborting after fassert() failure\n\n
2022-06-29T15:04:51.137Z W CONTROL [main] net.ssl.sslCipherConfig is deprecated. It will be removed in a future release.
2022-06-29T15:04:51.149Z F NETWORK [main] The provided SSL certificate is expired or not yet valid.
2022-06-29T15:04:51.149Z F - [main] Fatal Assertion 28652 at src/mongo/util/net/ssl_manager_openssl.cpp 987
2022-06-29T15:04:51.149Z F - [main] \n\n***aborting after fassert() failure\n\n
root@splunk:/opt/splunk/var/log/splunk# tail splunkd.log
06-29-2022 11:11:14.993 -0500 WARN AuthorizationManager [44284 SavedSearchFetcher] - Unknown role 'winfra-admin'
06-29-2022 11:11:14.994 -0500 WARN AuthorizationManager [44284 SavedSearchFetcher] - Unknown role 'winfra-admin'
06-29-2022 11:11:14.994 -0500 WARN AuthorizationManager [44284 SavedSearchFetcher] - Unknown role 'winfra-admin'
06-29-2022 11:11:18.206 -0500 WARN HttpListener [44522 webui] - Socket error from 161.31.28.185:52910 while idling: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
06-29-2022 11:11:18.214 -0500 WARN HttpListener [44522 webui] - Socket error from 161.31.28.185:52911 while idling: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
06-29-2022 11:11:18.219 -0500 WARN HttpListener [44522 webui] - Socket error from 161.31.28.185:52912 while idling: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
06-29-2022 11:11:24.098 -0500 INFO ExecProcessor [44189 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/instance_id_modular_input.py" [assist::instance_id_modular_input.py:228] [get_server_roles] [65977] Fetched server roles, roles=['indexer', 'license_master', 'license_manager']
06-29-2022 11:11:24.107 -0500 INFO ExecProcessor [44189 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/instance_id_modular_input.py" [assist::instance_id_modular_input.py:256] [get_cluster_mode] [65977] Fetched cluster mode, mode=disabled
06-29-2022 11:11:24.107 -0500 INFO ExecProcessor [44189 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/instance_id_modular_input.py" [assist::instance_id_modular_input.py:30] [should_run] [65977] should run test, sh=False
06-29-2022 11:11:26.891 -0500 INFO TailReader [44264 tailreader0] - Batch input finished reading file='/opt/splunk/var/spool/splunk/tracker.log'

0 Karma
Reply

pavankumarh
Path Finder
‎02-05-2023 06:04 AM

You logs indicate a old pem cert. have you tried renaming the server.pem file under splunk/etc/auth. then restarting splunk service. most KV store isues are resolved with this action. 

2022-06-29T15:04:51.149Z F NETWORK [main] The provided SSL certificate is expired or not yet valid.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2022 09:03 AM

Hi

what you found from splunkd.log and mongod.log?
Have you manually migrated mongo version?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...