×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
morganfw
Path Finder
Member since: ‎09-09-2011
Community Statistics
Posts 21
Solutions 2
Karma Given 1
Karma Received 1
Member Since ‎09-09-2011
Activity Feed
Topics I've Started
View All

Re: KVstore unable to start after upgrade to Splun...

by in Splunk Enterprise
‎01-28-2025 01:13 AM
1 Karma
‎01-28-2025 01:13 AM
1 Karma
In our test environment we downgraded to 9.3.2 and KV Store was not started with the same error message in the log file, maybe the mongodb was corrupted. As reported in the Splunk docs here: https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/MigrateKVstore the mongodb server need to be on 4.2.x version: You must upgrade to server version 4.2.x before upgrading to Splunk Enterprise 9.4.x or higher. For instructions and information about updating to KV store server version 4.2.x in Splunk Enterprise versions 9.0.x through 9.3.x, see Migrate the KV store storage engine in the Splunk Enterprise 9.3.0 documentation.   so, to check, it is strongly suggested to see the following Splunk guide: https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/MigrateKVstore After that, we stopped Splunk and issued a splunk clean kvstore --local after restarting Splunk everything was back working. We upgraded again to 9.4.0, after some seconds it starts to upgrade mongodb from 4.2 to 7.0 through 4.4, 5.0 and 6.0 with message in GUI that KV store is updating, we need to wait until update its finished. After some minutes mongodb was been successfully updated with the following message in the Splunk GUI: and the Splunk version: it is strongly suggested to tailing the $SPLUNK_HOME/var/log/splunk/mongodb_upgrade.log and do not operate on Splunk until update is finished. below the mongodb_upgrade.log 2025-01-28T08:36:25.567Z INFO [mongod_upgrade] Mongod Upgrader Logs 2025-01-28T08:36:25.568Z DEBUG [mongod_upgrade] mongod_upgrade arguments: Args { verbose: Verbosity { verbose: 1, quiet: 0, phantom: PhantomData<clap_verbosity::InfoLevel> }, uri: "mongodb://__system@127.0.0.1:8191/?replicaSet=B99AB2AA-EE93-405A-95CD-89EAC0FCA551&retryWrites=true&authSource=local&ssl=true&connectTimeoutMS=10000&socketTimeoutMS=300000&readPreference=nearest&readPreferenceTags=instance:B99AB2AA-EE93-405A-95CD-89EAC0FCA551&readPreferenceTags=all:all&tlsAllowInvalidCertificates=true", nodes: 1, local_uri: "mongodb://__system@127.0.0.1:8191/?w=majority&journal=true&retryWrites=true&authSource=local&ssl=true&connectTimeoutMS=10000&socketTimeoutMS=300000&tlsAllowInvalidCertificates=true&directConnection=true", backup_disabled: false, ld_linker: "lib/ld-2.26.so", data_directory: "/opt/splunk/var/lib/splunk/kvstore/mongo", backup_path: "/opt/splunk/var/lib/splunk/kvstore/mongo_backup", shadow_mount_dir: "C:\\mongo_shadow\\", backup_volume: "NOT_SPECIFIED", logpath: "/opt/splunk/var/log/splunk/mongod.log", keep_metadata: false, drop_metadata: false, pre_drop_metadata: false, keep_backups: true, metadata_database: "migration_metadata", metadata_collection: "migration_metadata", rsync_retries: 5, max_start_retries: 10, shutdown_mongod: true, rsync_path: "/opt/splunk/bin/rsync", keyfile_path: Some("/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key"), max_command_time_ms: 60000, time_duration_block_s: 1, polling_interval_ms: 100, polling_max_wait_ms: 26460000, polling_version_max_wait_ms: 4800000, max_retries: 4, health_check_max_retries: 60, use_ld: false, mongod_args: ["--dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo", "--storageEngine=wiredTiger", "--wiredTigerCacheSizeGB=1.050000", "--port=8191", "--timeStampFormat=iso8601-utc", "--oplogSize=200", "--keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key", "--setParameter=enableLocalhostAuthBypass=0", "--setParameter=oplogFetcherSteadyStateMaxFetcherRestarts=0", "--replSet=B99AB2AA-EE93-405A-95CD-89EAC0FCA551", "--bind_ip=0.0.0.0", "--sslCAFile=/opt/splunk/etc/auth/cacert.pem", "--tlsAllowConnectionsWithoutCertificates", "--sslMode=requireSSL", "--sslAllowInvalidHostnames", "--sslPEMKeyFile=/opt/splunk/etc/auth/server.pem", "--sslPEMKeyPassword=password", "--tlsDisabledProtocols=noTLS1_0,noTLS1_1", "--sslCipherConfig=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256", "--nounixsocket", "--noscripting"] } 2025-01-28T08:36:25.568Z INFO [mongod_upgrade] Executing Preflight Checks 2025-01-28T08:36:25.568Z DEBUG [mongod_upgrade] client_options_primary: ClientOptions { hosts: [Tcp { host: "127.0.0.1", port: Some(8191) }], app_name: None, compressors: None, connect_timeout: Some(10s), credential: Some(Credential("REDACTED")), direct_connection: None, driver_info: None, heartbeat_freq: None, load_balanced: None, local_threshold: None, max_idle_time: None, max_pool_size: None, min_pool_size: None, max_connecting: None, read_concern: None, repl_set_name: Some("B99AB2AA-EE93-405A-95CD-89EAC0FCA551"), retry_reads: None, retry_writes: Some(true), selection_criteria: Some(ReadPreference(Nearest { options: ReadPreferenceOptions { tag_sets: Some([{"instance": "B99AB2AA-EE93-405A-95CD-89EAC0FCA551"}, {"all": "all"}]), max_staleness: None, hedge: None } })), server_api: None, server_selection_timeout: None, default_database: None, tls: Some(Enabled(TlsOptions { allow_invalid_certificates: Some(true), ca_file_path: None, cert_key_file_path: None, allow_invalid_hostnames: None })), write_concern: None, srv_max_hosts: None } 2025-01-28T08:36:25.587Z INFO [mongod_upgrade] Checking intial FCV 2025-01-28T08:36:25.587Z INFO [mongod_upgrade] Feature Compatibility Version is: 4.2 2025-01-28T08:36:25.587Z DEBUG [mongod_upgrade] Hostname set to "127.0.0.1:8191" 2025-01-28T08:36:25.588Z INFO [mongod_upgrade] Preflight completed successfully 2025-01-28T08:36:25.589Z INFO [mongod_upgrade] Executing backup before upgrade 2025-01-28T08:36:25.613Z DEBUG [mongod_upgrade] Backup update doc: Document({"$set": Document({"backup.location": String("/opt/splunk/var/lib/splunk/kvstore/mongo_backup"), "backup.start": DateTime(2025-01-28 8:36:25.613 +00:00:00), "backup.phase1_start": DateTime(2025-01-28 8:36:25.613 +00:00:00)})}) 2025-01-28T08:36:25.662Z DEBUG [mongod_upgrade] Backup update result: UpdateResult { matched_count: 0, modified_count: 0, upserted_id: Some(String("BACKUP_127.0.0.1:8191")) } 2025-01-28T08:36:26.426Z DEBUG [mongod_upgrade] Rsync returned successfully. 2025-01-28T08:36:26.426Z DEBUG [mongod_upgrade] Backup update doc: Document({"$set": Document({"backup.phase1_end": DateTime(2025-01-28 8:36:26.426 +00:00:00), "backup.phase2_start": DateTime(2025-01-28 8:36:26.426 +00:00:00)})}) 2025-01-28T08:36:26.428Z DEBUG [mongod_upgrade] Backup update result: UpdateResult { matched_count: 1, modified_count: 1, upserted_id: None } 2025-01-28T08:36:26.429Z DEBUG [mongod_upgrade::conditions] "phase1" complete count: 1 2025-01-28T08:36:26.433Z DEBUG [mongod_upgrade::conditions] Replication status doc for node: Document({"_id": Int32(0), "name": String("127.0.0.1:8191"), "health": Double(1.0), "state": Int32(1), "stateStr": String("PRIMARY"), "uptime": Int32(61), "optime": Document({"ts": Timestamp { time: 1738053386, increment: 1 }, "t": Int64(2)}), "optimeDate": DateTime(2025-01-28 8:36:26.0 +00:00:00), "syncingTo": String(""), "syncSourceHost": String(""), "syncSourceId": Int32(-1), "infoMessage": String("could not find member to sync from"), "electionTime": Timestamp { time: 1738053327, increment: 1 }, "electionDate": DateTime(2025-01-28 8:35:27.0 +00:00:00), "configVersion": Int32(1), "self": Boolean(true), "lastHeartbeatMessage": String("")}) 2025-01-28T08:36:26.434Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-28T08:36:26.434Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-28T08:36:26.434Z INFO [mongod_upgrade] Node identified as Primary, issuing fsyncLock and pausing writes to node 2025-01-28T08:36:26.578Z INFO [mongod_upgrade] Document({"info": String("now locked against writes, use db.fsyncUnlock() to unlock"), "lockCount": Int64(1), "seeAlso": String("http://dochub.mongodb.org/core/fsynccommand"), "ok": Double(1.0), "$clusterTime": Document({"clusterTime": Timestamp { time: 1738053386, increment: 1 }, "signature": Document({"hash": Binary { subtype: Generic, bytes: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] }, "keyId": Int64(0)})}), "operationTime": Timestamp { time: 1738053386, increment: 1 }}) 2025-01-28T08:36:26.578Z INFO [mongod_upgrade] Waiting for replication lag to be 0 on all secondary nodes 2025-01-28T08:36:27.759Z INFO [mongod_upgrade] unpausing writes to node 2025-01-28T08:36:27.764Z INFO [mongod_upgrade] Document({"info": String("fsyncUnlock completed"), "lockCount": Int64(0), "ok": Double(1.0), "$clusterTime": Document({"clusterTime": Timestamp { time: 1738053386, increment: 1 }, "signature": Document({"hash": Binary { subtype: Generic, bytes: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] }, "keyId": Int64(0)})}), "operationTime": Timestamp { time: 1738053386, increment: 1 }}) 2025-01-28T08:36:27.764Z DEBUG [mongod_upgrade] Second rsync returned successfully. 2025-01-28T08:36:27.764Z DEBUG [mongod_upgrade] Backup update doc: Document({"$set": Document({"backup.phase2_end": DateTime(2025-01-28 8:36:27.764 +00:00:00), "backup.end": DateTime(2025-01-28 8:36:27.764 +00:00:00)})}) 2025-01-28T08:36:27.765Z DEBUG [mongod_upgrade] Backup update result: UpdateResult { matched_count: 1, modified_count: 1, upserted_id: None } 2025-01-28T08:36:27.766Z DEBUG [mongod_upgrade::conditions] "phase2" complete count: 1 2025-01-28T08:36:27.766Z INFO [mongod_upgrade] Backup completed successfully 2025-01-28T08:36:27.766Z INFO [mongod_upgrade] Starting rolling update 2025-01-28T08:36:27.785Z INFO [mongod_upgrade::commands] Init results: InsertOneResult { inserted_id: String("127.0.0.1:8191") } 2025-01-28T08:36:27.785Z INFO [mongod_upgrade] Waiting for initialization 2025-01-28T08:36:27.786Z DEBUG [mongod_upgrade::conditions] Init count: 1 2025-01-28T08:36:27.786Z INFO [mongod_upgrade] All initialized 2025-01-28T08:36:27.786Z INFO [mongod_upgrade] Upgrading to 4.4 2025-01-28T08:36:27.787Z INFO [mongod_upgrade] Waiting if primary 2025-01-28T08:36:27.788Z DEBUG [mongod_upgrade::conditions] Replication status doc for node: Document({"_id": Int32(0), "name": String("127.0.0.1:8191"), "health": Double(1.0), "state": Int32(1), "stateStr": String("PRIMARY"), "uptime": Int32(62), "optime": Document({"ts": Timestamp { time: 1738053387, increment: 2 }, "t": Int64(2)}), "optimeDate": DateTime(2025-01-28 8:36:27.0 +00:00:00), "syncingTo": String(""), "syncSourceHost": String(""), "syncSourceId": Int32(-1), "infoMessage": String("could not find member to sync from"), "electionTime": Timestamp { time: 1738053327, increment: 1 }, "electionDate": DateTime(2025-01-28 8:35:27.0 +00:00:00), "configVersion": Int32(1), "self": Boolean(true), "lastHeartbeatMessage": String("")}) 2025-01-28T08:36:27.788Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-28T08:36:27.788Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-28T08:36:27.788Z DEBUG [mongod_upgrade::conditions] Upgraded count: 0 2025-01-28T08:36:27.788Z INFO [mongod_upgrade] Getting lock 2025-01-28T08:36:27.789Z DEBUG [mongod_upgrade::conditions] Upserting lock 2025-01-28T08:36:27.790Z INFO [mongod_upgrade::conditions] locked 2025-01-28T08:36:27.790Z INFO [mongod_upgrade] Got lock: true 2025-01-28T08:36:27.790Z INFO [mongod_upgrade::commands] Updating 127.0.0.1:8191 to 4.4 2025-01-28T08:36:27.790Z INFO [mongod_upgrade::commands] In update for 4.4 2025-01-28T08:36:29.202Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-28T08:36:29.736Z WARN [mongod_upgrade::commands] Attempting with force:true due to shutdown failure: Error { kind: Io(Kind(UnexpectedEof)), labels: {}, wire_version: Some(8), source: None } 2025-01-28T08:36:35.754Z INFO [mongod_upgrade::commands] Checking if mongod is online 2025-01-28T08:37:05.755Z INFO [mongod_upgrade::commands] mongod is offline 2025-01-28T08:37:05.755Z INFO [mongod_upgrade::commands] Shutdown output: Document({}) 2025-01-28T08:37:07.813Z INFO [mongod_upgrade::commands] UPGRADE_TO_4.4_SUCCESSFUL 2025-01-28T08:37:09.813Z INFO [mongod_upgrade::commands] Attempting to update status 2025-01-28T08:37:09.817Z INFO [mongod_upgrade::commands] Status updated successfully 2025-01-28T08:37:09.823Z INFO [mongod_upgrade] Waiting for other nodes in replica set to upgrade 2025-01-28T08:37:09.824Z DEBUG [mongod_upgrade::conditions] Upgraded count: 1 2025-01-28T08:37:09.824Z INFO [mongod_upgrade] All upgraded to 4.4, proceeding. 2025-01-28T08:37:09.824Z INFO [mongod_upgrade] Setting new FCV Version: 4.4 2025-01-28T08:37:09.838Z INFO [mongod_upgrade] FCV change successful: () 2025-01-28T08:37:24.838Z INFO [mongod_upgrade] Upgrading to 5.0 2025-01-28T08:37:24.840Z INFO [mongod_upgrade] Waiting if primary 2025-01-28T08:37:24.841Z DEBUG [mongod_upgrade::conditions] Replication status doc for node: Document({"_id": Int32(0), "name": String("127.0.0.1:8191"), "health": Double(1.0), "state": Int32(1), "stateStr": String("PRIMARY"), "uptime": Int32(18), "optime": Document({"ts": Timestamp { time: 1738053429, increment: 4 }, "t": Int64(3)}), "optimeDate": DateTime(2025-01-28 8:37:09.0 +00:00:00), "lastAppliedWallTime": DateTime(2025-01-28 8:37:09.834 +00:00:00), "lastDurableWallTime": DateTime(2025-01-28 8:37:09.834 +00:00:00), "syncSourceHost": String(""), "syncSourceId": Int32(-1), "infoMessage": String("Could not find member to sync from"), "electionTime": Timestamp { time: 1738053427, increment: 1 }, "electionDate": DateTime(2025-01-28 8:37:07.0 +00:00:00), "configVersion": Int32(2), "configTerm": Int32(3), "self": Boolean(true), "lastHeartbeatMessage": String("")}) 2025-01-28T08:37:24.841Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-28T08:37:24.841Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-28T08:37:24.842Z DEBUG [mongod_upgrade::conditions] Upgraded count: 0 2025-01-28T08:37:24.842Z INFO [mongod_upgrade] Getting lock 2025-01-28T08:37:24.842Z DEBUG [mongod_upgrade::conditions] Upserting lock 2025-01-28T08:37:24.843Z INFO [mongod_upgrade::conditions] locked 2025-01-28T08:37:24.843Z INFO [mongod_upgrade] Got lock: true 2025-01-28T08:37:24.843Z INFO [mongod_upgrade::commands] Updating 127.0.0.1:8191 to 5.0 2025-01-28T08:37:24.843Z INFO [mongod_upgrade::commands] In update for 5.0 2025-01-28T08:37:26.825Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-28T08:37:27.994Z WARN [mongod_upgrade::commands] Attempting with force:true due to shutdown failure: Error { kind: Io(Kind(UnexpectedEof)), labels: {}, wire_version: Some(9), source: None } 2025-01-28T08:37:34.004Z INFO [mongod_upgrade::commands] Checking if mongod is online 2025-01-28T08:38:04.006Z INFO [mongod_upgrade::commands] mongod is offline 2025-01-28T08:38:04.006Z INFO [mongod_upgrade::commands] Shutdown output: Document({}) 2025-01-28T08:38:06.710Z INFO [mongod_upgrade::commands] UPGRADE_TO_5.0_SUCCESSFUL 2025-01-28T08:38:08.710Z INFO [mongod_upgrade::commands] Attempting to update status 2025-01-28T08:38:08.717Z INFO [mongod_upgrade::commands] Status updated successfully 2025-01-28T08:38:08.725Z INFO [mongod_upgrade] Waiting for other nodes in replica set to upgrade 2025-01-28T08:38:08.732Z DEBUG [mongod_upgrade::conditions] Upgraded count: 1 2025-01-28T08:38:08.732Z INFO [mongod_upgrade] All upgraded to 5.0, proceeding. 2025-01-28T08:38:08.732Z INFO [mongod_upgrade] Setting new FCV Version: 5.0 2025-01-28T08:38:08.748Z INFO [mongod_upgrade] FCV change successful: () 2025-01-28T08:38:23.748Z INFO [mongod_upgrade] Upgrading to 6.0 2025-01-28T08:38:23.751Z INFO [mongod_upgrade] Waiting if primary 2025-01-28T08:38:23.752Z DEBUG [mongod_upgrade::conditions] Replication status doc for node: Document({"_id": Int32(0), "name": String("127.0.0.1:8191"), "health": Double(1.0), "state": Int32(1), "stateStr": String("PRIMARY"), "uptime": Int32(19), "optime": Document({"ts": Timestamp { time: 1738053488, increment: 5 }, "t": Int64(4)}), "optimeDate": DateTime(2025-01-28 8:38:08.0 +00:00:00), "lastAppliedWallTime": DateTime(2025-01-28 8:38:08.745 +00:00:00), "lastDurableWallTime": DateTime(2025-01-28 8:38:08.745 +00:00:00), "syncSourceHost": String(""), "syncSourceId": Int32(-1), "infoMessage": String("Could not find member to sync from"), "electionTime": Timestamp { time: 1738053486, increment: 1 }, "electionDate": DateTime(2025-01-28 8:38:06.0 +00:00:00), "configVersion": Int32(3), "configTerm": Int32(4), "self": Boolean(true), "lastHeartbeatMessage": String("")}) 2025-01-28T08:38:23.752Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-28T08:38:23.752Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-28T08:38:23.752Z DEBUG [mongod_upgrade::conditions] Upgraded count: 0 2025-01-28T08:38:23.752Z INFO [mongod_upgrade] Getting lock 2025-01-28T08:38:23.753Z DEBUG [mongod_upgrade::conditions] Upserting lock 2025-01-28T08:38:23.757Z INFO [mongod_upgrade::conditions] locked 2025-01-28T08:38:23.757Z INFO [mongod_upgrade] Got lock: true 2025-01-28T08:38:23.758Z INFO [mongod_upgrade::commands] Updating 127.0.0.1:8191 to 6.0 2025-01-28T08:38:23.758Z INFO [mongod_upgrade::commands] In update for 6.0 2025-01-28T08:38:25.544Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-28T08:38:25.845Z WARN [mongod_upgrade::commands] Attempting with force:true due to shutdown failure: Error { kind: Io(Kind(UnexpectedEof)), labels: {}, wire_version: Some(13), source: None } 2025-01-28T08:38:31.854Z INFO [mongod_upgrade::commands] Checking if mongod is online 2025-01-28T08:39:01.856Z INFO [mongod_upgrade::commands] mongod is offline 2025-01-28T08:39:01.856Z INFO [mongod_upgrade::commands] Shutdown output: Document({}) 2025-01-28T08:39:03.281Z INFO [mongod_upgrade::commands] UPGRADE_TO_6.0_SUCCESSFUL 2025-01-28T08:39:05.281Z INFO [mongod_upgrade::commands] Attempting to update status 2025-01-28T08:39:05.285Z INFO [mongod_upgrade::commands] Status updated successfully 2025-01-28T08:39:05.297Z INFO [mongod_upgrade] Waiting for other nodes in replica set to upgrade 2025-01-28T08:39:05.299Z DEBUG [mongod_upgrade::conditions] Upgraded count: 1 2025-01-28T08:39:05.299Z INFO [mongod_upgrade] All upgraded to 6.0, proceeding. 2025-01-28T08:39:05.299Z INFO [mongod_upgrade] Setting new FCV Version: 6.0 2025-01-28T08:39:05.460Z INFO [mongod_upgrade] FCV change successful: () 2025-01-28T08:39:20.460Z INFO [mongod_upgrade] Upgrading to 7.0 2025-01-28T08:39:20.462Z INFO [mongod_upgrade] Waiting if primary 2025-01-28T08:39:20.464Z DEBUG [mongod_upgrade::conditions] Replication status doc for node: Document({"_id": Int32(0), "name": String("127.0.0.1:8191"), "health": Double(1.0), "state": Int32(1), "stateStr": String("PRIMARY"), "uptime": Int32(19), "optime": Document({"ts": Timestamp { time: 1738053545, increment: 10 }, "t": Int64(5)}), "optimeDate": DateTime(2025-01-28 8:39:05.0 +00:00:00), "lastAppliedWallTime": DateTime(2025-01-28 8:39:05.451 +00:00:00), "lastDurableWallTime": DateTime(2025-01-28 8:39:05.451 +00:00:00), "syncSourceHost": String(""), "syncSourceId": Int32(-1), "infoMessage": String("Could not find member to sync from"), "electionTime": Timestamp { time: 1738053543, increment: 1 }, "electionDate": DateTime(2025-01-28 8:39:03.0 +00:00:00), "configVersion": Int32(3), "configTerm": Int32(5), "self": Boolean(true), "lastHeartbeatMessage": String("")}) 2025-01-28T08:39:20.464Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-28T08:39:20.464Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-28T08:39:20.465Z DEBUG [mongod_upgrade::conditions] Upgraded count: 0 2025-01-28T08:39:20.465Z INFO [mongod_upgrade] Getting lock 2025-01-28T08:39:20.466Z DEBUG [mongod_upgrade::conditions] Upserting lock 2025-01-28T08:39:20.469Z INFO [mongod_upgrade::conditions] locked 2025-01-28T08:39:20.469Z INFO [mongod_upgrade] Got lock: true 2025-01-28T08:39:20.470Z INFO [mongod_upgrade::commands] Updating 127.0.0.1:8191 to 7.0 2025-01-28T08:39:20.470Z INFO [mongod_upgrade::commands] In update for 7.0 2025-01-28T08:39:21.724Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-28T08:39:22.519Z WARN [mongod_upgrade::commands] Attempting with force:true due to shutdown failure: Error { kind: Io(Kind(UnexpectedEof)), labels: {}, wire_version: Some(17), source: None } 2025-01-28T08:39:28.529Z INFO [mongod_upgrade::commands] Checking if mongod is online 2025-01-28T08:39:58.531Z INFO [mongod_upgrade::commands] mongod is offline 2025-01-28T08:39:58.531Z INFO [mongod_upgrade::commands] Shutdown output: Document({}) 2025-01-28T08:40:00.234Z INFO [mongod_upgrade::commands] UPGRADE_TO_7.0_SUCCESSFUL 2025-01-28T08:40:02.234Z INFO [mongod_upgrade::commands] Attempting to update status 2025-01-28T08:40:02.240Z INFO [mongod_upgrade::commands] Status updated successfully 2025-01-28T08:40:02.253Z INFO [mongod_upgrade] Waiting for other nodes in replica set to upgrade 2025-01-28T08:40:02.258Z DEBUG [mongod_upgrade::conditions] Upgraded count: 1 2025-01-28T08:40:02.258Z INFO [mongod_upgrade] All upgraded to 7.0, proceeding. 2025-01-28T08:40:02.259Z INFO [mongod_upgrade] Setting new FCV Version: 7.0 2025-01-28T08:40:02.281Z INFO [mongod_upgrade] FCV change successful: () 2025-01-28T08:40:17.281Z INFO [mongod_upgrade] Upgrades completed 2025-01-28T08:40:17.287Z INFO [mongod_upgrade] Waiting for completion 2025-01-28T08:40:17.289Z DEBUG [mongod_upgrade::conditions] Completed count: 1 2025-01-28T08:40:17.289Z DEBUG [mongod_upgrade::conditions] Hostname count: 1 2025-01-28T08:40:17.289Z INFO [mongod_upgrade] All completed 2025-01-28T08:40:17.394Z INFO [mongod_upgrade] Dropped migration metadata database. 2025-01-28T08:40:17.403Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-28T08:40:18.363Z WARN [mongod_upgrade] mongod failed to shut down before exiting: Kind: I/O error: unexpected end of file, labels: {}  and below the correct mongodb version splunk show kvstore-status --verbose | grep -i serverversion serverVersion : 7.0.14 Since ours was a test server, and other than the default Splunk server we don't use anything that uses the KV Store, we didn't restore the backed up KV Store. Splunk does it automatically when upgrading the version, but it is recommended to do it manually and then restore the KV Store in case something goes wrong. Furthermore, it is never recommended to upgrade Splunk to version .0, but at least wait for the next versions, for example .3 because many bugs are solved that are often present in the .0 version (eg: 9.4.3 version). ... View more

Re: KVstore unable to start after upgrade to Splun...

by in Splunk Enterprise
‎01-27-2025 08:47 AM
‎01-27-2025 08:47 AM
Same issue here on a VM with Ubuntu 22.04 LTS, after upgrade from Splunk 9.3.2 to Splunk 9.4.0, mongodb fail to start. The "avx" and "avx2" vCPU flags are ok: $ lscpu | grep -i avx Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid rdseed adx smap xsaveopt arat md_clear flush_l1d arch_capabilities below latest mongod_upgrade.log lines 2025-01-27T08:38:58.162Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-27T08:38:58.162Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-27T08:38:58.163Z DEBUG [mongod_upgrade::conditions] Upgraded count: 0 2025-01-27T08:38:58.163Z INFO [mongod_upgrade] Getting lock 2025-01-27T08:38:58.163Z DEBUG [mongod_upgrade::conditions] Upserting lock 2025-01-27T08:38:58.164Z INFO [mongod_upgrade::conditions] locked 2025-01-27T08:38:58.164Z INFO [mongod_upgrade] Got lock: true 2025-01-27T08:38:58.164Z INFO [mongod_upgrade::commands] Updating 127.0.0.1:8191 to 4.4 2025-01-27T08:38:58.164Z INFO [mongod_upgrade::commands] In update for 4.4 2025-01-27T08:38:59.046Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-27T08:38:59.822Z WARN [mongod_upgrade::commands] Attempting with force:true due to shutdown failure: Error { kind: Io(Kind(UnexpectedEof)), labels: {}, wire_version: Some(8), source: None } 2025-01-27T08:39:05.832Z INFO [mongod_upgrade::commands] Checking if mongod is online 2025-01-27T08:39:35.834Z INFO [mongod_upgrade::commands] mongod is offline 2025-01-27T08:39:35.834Z INFO [mongod_upgrade::commands] Shutdown output: Document({}) 2025-01-27T08:39:37.263Z INFO [mongod_upgrade::commands] UPGRADE_TO_4.4_SUCCESSFUL 2025-01-27T08:39:39.263Z INFO [mongod_upgrade::commands] Attempting to update status 2025-01-27T08:39:39.265Z INFO [mongod_upgrade::commands] Status updated successfully 2025-01-27T08:39:39.271Z INFO [mongod_upgrade] Waiting for other nodes in replica set to upgrade 2025-01-27T08:39:39.272Z DEBUG [mongod_upgrade::conditions] Upgraded count: 1 2025-01-27T08:39:39.272Z INFO [mongod_upgrade] All upgraded to 4.4, proceeding. 2025-01-27T08:39:39.272Z INFO [mongod_upgrade] Setting new FCV Version: 4.4 2025-01-27T08:39:39.284Z INFO [mongod_upgrade] FCV change successful: () 2025-01-27T08:39:54.284Z INFO [mongod_upgrade] Upgrading to 5.0 2025-01-27T08:39:54.286Z INFO [mongod_upgrade] Waiting if primary 2025-01-27T08:39:54.287Z DEBUG [mongod_upgrade::conditions] Replication status doc for node: Document({"_id": Int32(0), "name": String("127.0.0.1:8191"), "health": Double(1.0), "state": Int32(1), "stateStr": String("PRIMARY"), "uptime": Int32(19), "optime": Document({"ts": Timestamp { time: 1737967179, increment: 4 }, "t": Int64(58)}), "optimeDate": DateTime(2025-01-27 8:39:39.0 +00:00:00), "lastAppliedWallTime": DateTime(2025-01-27 8:39:39.278 +00:00:00), "lastDurableWallTime": DateTime(2025-01-27 8:39:39.278 +00:00:00), "syncSourceHost": String(""), "syncSourceId": Int32(-1), "infoMessage": String("Could not find member to sync from"), "electionTime": Timestamp { time: 1737967177, increment: 1 }, "electionDate": DateTime(2025-01-27 8:39:37.0 +00:00:00), "configVersion": Int32(2), "configTerm": Int32(58), "self": Boolean(true), "lastHeartbeatMessage": String("")}) 2025-01-27T08:39:54.287Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-27T08:39:54.287Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-27T08:39:54.287Z DEBUG [mongod_upgrade::conditions] Upgraded count: 0 2025-01-27T08:39:54.287Z INFO [mongod_upgrade] Getting lock 2025-01-27T08:39:54.288Z DEBUG [mongod_upgrade::conditions] Upserting lock 2025-01-27T08:39:54.288Z INFO [mongod_upgrade::conditions] locked 2025-01-27T08:39:54.288Z INFO [mongod_upgrade] Got lock: true 2025-01-27T08:39:54.289Z INFO [mongod_upgrade::commands] Updating 127.0.0.1:8191 to 5.0 2025-01-27T08:39:54.289Z INFO [mongod_upgrade::commands] In update for 5.0 2025-01-27T08:39:54.555Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-27T08:39:55.409Z WARN [mongod_upgrade::commands] Attempting with force:true due to shutdown failure: Error { kind: Io(Kind(UnexpectedEof)), labels: {}, wire_version: Some(9), source: None }  and below the mongod.log error after a splunk start/restart 2025-01-27T15:56:52.142Z I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine 2025-01-27T15:56:52.142Z I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem 2025-01-27T15:56:52.142Z I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=1075M,cache_overflow=(file_max=0M),session_max=33000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000,close_scan_interval=10,close_handle_minimum=250),statistics_log=(wait=0),verbose=[recovery_progress,checkpoint_progress], 2025-01-27T15:56:53.003Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:3955][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:3955][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.027Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:27009][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:27009][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.049Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:49077][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:49077][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.080Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:80951][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:80951][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.096Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:96579][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:96579][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.103Z W STORAGE [initandlisten] Failed to start up WiredTiger under any compatibility version. 2025-01-27T15:56:53.103Z F STORAGE [initandlisten] Reason: -31802: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.103Z F - [initandlisten] Fatal Assertion 28595 at src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp 928 2025-01-27T15:56:53.103Z F - [initandlisten] \n\n***aborting after fassert() failure\n\n  it seems that was stuck on 5.0 mongodb upgrade after 9.4.0 Splunk upgrade. Any suggestion how to resolve the issue? Regards. ... View more

Re: KVstore unable to start after upgrade to Splun...

by in Splunk Enterprise
‎01-27-2025 08:36 AM
‎01-27-2025 08:36 AM
Same issue here on an Ubuntu 22.04 LTS VM, tried to upgrade on test environment from 9.3.2 to 9.4.0 and mongodb fail to start. Below last mongod_upgrade.log lines 2025-01-27T08:38:58.160Z INFO [mongod_upgrade] All initialized 2025-01-27T08:38:58.160Z INFO [mongod_upgrade] Upgrading to 4.4 2025-01-27T08:38:58.161Z INFO [mongod_upgrade] Waiting if primary 2025-01-27T08:38:58.162Z DEBUG [mongod_upgrade::conditions] Replication status doc for node: Document({"_id": Int32(0), "name": String("127.0.0.1:8191"), "health": Double(1.0), "state": Int32(1), "stateStr": String("PRIMARY"), "uptime": Int32(83), "optime": Document({"ts": Timestamp { time: 1737967138, increment: 2 }, "t": Int64(57)}), "optimeDate": DateTime(2025-01-27 8:38:58.0 +00:00:00), "syncingTo": String(""), "syncSourceHost": String(""), "syncSourceId": Int32(-1), "infoMessage": String("could not find member to sync from"), "electionTime": Timestamp { time: 1737967059, increment: 1 }, "electionDate": DateTime(2025-01-27 8:37:39.0 +00:00:00), "configVersion": Int32(1), "self": Boolean(true), "lastHeartbeatMessage": String("")}) 2025-01-27T08:38:58.162Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-27T08:38:58.162Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-27T08:38:58.163Z DEBUG [mongod_upgrade::conditions] Upgraded count: 0 2025-01-27T08:38:58.163Z INFO [mongod_upgrade] Getting lock 2025-01-27T08:38:58.163Z DEBUG [mongod_upgrade::conditions] Upserting lock 2025-01-27T08:38:58.164Z INFO [mongod_upgrade::conditions] locked 2025-01-27T08:38:58.164Z INFO [mongod_upgrade] Got lock: true 2025-01-27T08:38:58.164Z INFO [mongod_upgrade::commands] Updating 127.0.0.1:8191 to 4.4 2025-01-27T08:38:58.164Z INFO [mongod_upgrade::commands] In update for 4.4 2025-01-27T08:38:59.046Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-27T08:38:59.822Z WARN [mongod_upgrade::commands] Attempting with force:true due to shutdown failure: Error { kind: Io(Kind(UnexpectedEof)), labels: {}, wire_version: Some(8), source: None } 2025-01-27T08:39:05.832Z INFO [mongod_upgrade::commands] Checking if mongod is online 2025-01-27T08:39:35.834Z INFO [mongod_upgrade::commands] mongod is offline 2025-01-27T08:39:35.834Z INFO [mongod_upgrade::commands] Shutdown output: Document({}) 2025-01-27T08:39:37.263Z INFO [mongod_upgrade::commands] UPGRADE_TO_4.4_SUCCESSFUL 2025-01-27T08:39:39.263Z INFO [mongod_upgrade::commands] Attempting to update status 2025-01-27T08:39:39.265Z INFO [mongod_upgrade::commands] Status updated successfully 2025-01-27T08:39:39.271Z INFO [mongod_upgrade] Waiting for other nodes in replica set to upgrade 2025-01-27T08:39:39.272Z DEBUG [mongod_upgrade::conditions] Upgraded count: 1 2025-01-27T08:39:39.272Z INFO [mongod_upgrade] All upgraded to 4.4, proceeding. 2025-01-27T08:39:39.272Z INFO [mongod_upgrade] Setting new FCV Version: 4.4 2025-01-27T08:39:39.284Z INFO [mongod_upgrade] FCV change successful: () 2025-01-27T08:39:54.284Z INFO [mongod_upgrade] Upgrading to 5.0 2025-01-27T08:39:54.286Z INFO [mongod_upgrade] Waiting if primary 2025-01-27T08:39:54.287Z DEBUG [mongod_upgrade::conditions] Replication status doc for node: Document({"_id": Int32(0), "name": String("127.0.0.1:8191"), "health": Double(1.0), "state": Int32(1), "stateStr": String("PRIMARY"), "uptime": Int32(19), "optime": Document({"ts": Timestamp { time: 1737967179, increment: 4 }, "t": Int64(58)}), "optimeDate": DateTime(2025-01-27 8:39:39.0 +00:00:00), "lastAppliedWallTime": DateTime(2025-01-27 8:39:39.278 +00:00:00), "lastDurableWallTime": DateTime(2025-01-27 8:39:39.278 +00:00:00), "syncSourceHost": String(""), "syncSourceId": Int32(-1), "infoMessage": String("Could not find member to sync from"), "electionTime": Timestamp { time: 1737967177, increment: 1 }, "electionDate": DateTime(2025-01-27 8:39:37.0 +00:00:00), "configVersion": Int32(2), "configTerm": Int32(58), "self": Boolean(true), "lastHeartbeatMessage": String("")}) 2025-01-27T08:39:54.287Z DEBUG [mongod_upgrade::conditions] Hostname from replSetGetStatus: "127.0.0.1:8191" 2025-01-27T08:39:54.287Z DEBUG [mongod_upgrade::conditions] Hostname from preflight: "127.0.0.1:8191" 2025-01-27T08:39:54.287Z DEBUG [mongod_upgrade::conditions] Upgraded count: 0 2025-01-27T08:39:54.287Z INFO [mongod_upgrade] Getting lock 2025-01-27T08:39:54.288Z DEBUG [mongod_upgrade::conditions] Upserting lock 2025-01-27T08:39:54.288Z INFO [mongod_upgrade::conditions] locked 2025-01-27T08:39:54.288Z INFO [mongod_upgrade] Got lock: true 2025-01-27T08:39:54.289Z INFO [mongod_upgrade::commands] Updating 127.0.0.1:8191 to 5.0 2025-01-27T08:39:54.289Z INFO [mongod_upgrade::commands] In update for 5.0 2025-01-27T08:39:54.555Z INFO [mongod_upgrade::commands] Shutting down the database 2025-01-27T08:39:55.409Z WARN [mongod_upgrade::commands] Attempting with force:true due to shutdown failure: Error { kind: Io(Kind(UnexpectedEof)), labels: {}, wire_version: Some(9), source: None } and below mongod.log after Splunk start/restart 2025-01-27T15:56:52.142Z I STORAGE [initandlisten] 2025-01-27T15:56:52.142Z I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine 2025-01-27T15:56:52.142Z I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem 2025-01-27T15:56:52.142Z I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=1075M,cache_overflow=(file_max=0M),session_max=33000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000,close_scan_interval=10,close_handle_minimum=250),statistics_log=(wait=0),verbose=[recovery_progress,checkpoint_progress], 2025-01-27T15:56:53.003Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:3955][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:3955][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.027Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:27009][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:27009][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.049Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:49077][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:49077][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.080Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:80951][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:80951][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.096Z E STORAGE [initandlisten] WiredTiger error (-31802) [1737993413:96579][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error Raw: [1737993413:96579][338955:0x7f36dba58b40], connection: __log_open_verify, 925: unsupported WiredTiger file version: this build only supports versions up to 4, and the file is version 5: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.103Z W STORAGE [initandlisten] Failed to start up WiredTiger under any compatibility version. 2025-01-27T15:56:53.103Z F STORAGE [initandlisten] Reason: -31802: WT_ERROR: non-specific WiredTiger error 2025-01-27T15:56:53.103Z F - [initandlisten] Fatal Assertion 28595 at src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp 928 2025-01-27T15:56:53.103Z F - [initandlisten] \n\n***aborting after fassert() failure\n\n we have avx and avx2 CPU Flags $ lscpu | grep -i avx Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid rdseed adx smap xsaveopt arat md_clear flush_l1d arch_capabilities it seems that mongodb is in stuck state and did not completed the upgrade correctly. Any suggestion how to resolve? Regards ... View more

Splunk App for Salesforce on Splunk Cloud: "lookup...

by in All Apps and Add-ons
‎09-14-2022 03:11 AM
‎09-14-2022 03:11 AM
Hello, we are using Splunk App for Salesforce in the Splunk Cloud environment. We noticed that the App through the saved search "Lookup - ACCOUNT_ID TO ACCOUNT_NAME" every week at midnight creates a CSV file called "lookup_sfdc_accounts.csv", which in our case is populated with over 4 million lines and consequently the size of the files are nearly 500MB. The problem is that due to the size of this lookup, Splunk Cloud cannot replicate the bundle and the following message appears: The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is [...]. We do not have the ability to filter events and reduce the size of the lookup. Has anyone been in the same situation? Is it possible to solve somehow, for example by migrating the lookup to KV Store? Any suggestions? The App is not directly supported by Splunk and I cannot find the developer's contacts to submit the case. ... View more

Re: Centurion - Threat Hunting Feed Aggregator v1....

by in All Apps and Add-ons
‎06-03-2020 05:40 AM
‎06-03-2020 05:40 AM
Hello, I've found a WA for now. On variables.py under $SPLUNK_HOME/etc/apps/Centurion/bin you need to insert proxy config for requests module: import requests proxies = { 'http': 'http://<your_proxy>:<your_proxy_port>', 'https': 'http://<your_proxy>:<your_proxy_port>', } then you need to configure single py services scripts that use Python requests module adding proxies import and configurations, following example is for abuseip.py, on line 8 modify script from: from variables import abuseipkey,index_name to from variables import abuseipkey,index_name,proxies then on requests.get on line 59, modify from: res = requests.get(url, params=params) to res = requests.get(url, params=params, proxies=proxies) and so on for all services that use Python requests module. For services that not use Python requests module, you need to declare Proxy and add set_tunnel, so for AlienVault.py modify line 33 and 34 from: conn = httplib.HTTPSConnection("otx.alienvault.com") conn1 = httplib.HTTPSConnection("otx.alienvault.com") to conn = httplib.HTTPSConnection("<your_proxy>", <your_port>) conn.set_tunnel("otx.alienvault.com") conn1 = httplib.HTTPSConnection("<your_proxy>", <your_port>) conn1.set_tunnel("otx.alienvault.com") and so on for other services that not using Python requests module. For neutrino.py on line 44 before string: reqReputation = urllib2.Request(urlReputation, urllib.urlencode(params).encode("utf-8")) you need to add following lines: ## Proxy Mod START proxy = urllib2.ProxyHandler({'https': 'http://<your_proxy>:<your_proxy_port>'}) opener = urllib2.build_opener(proxy) urllib2.install_opener(opener) ## Proxy Mod END I strongly suggest in next App version to make the ability to configure Proxy globally on App, not all companies have te ability to exit Internet directly from Splunk. Regards ... View more

Re: Centurion - Threat Hunting Feed Aggregator v1....

by in All Apps and Add-ons
‎05-28-2020 07:56 AM
‎05-28-2020 07:56 AM
Sorry, I don't need proxy to be configured globally, but I need proxy configuration per App. The proxy configuration mentioned in above url is for splunkd only and doesn't work with Apps. ... View more

Centurion - Threat Hunting Feed Aggregator v1.0.1 ...

by in All Apps and Add-ons
‎05-26-2020 09:12 AM
‎05-26-2020 09:12 AM
Hello, I've installed Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1 and I need to configure a proxy for exit on the internet. Any suggestion for where to put proxy settings for quick resolving with a WA? I suggest making a modification on the next App version to add the option to allow the user to modify proxy settings through the App web interface on Splunk. Regards ... View more
Labels

Re: Proofpoint - ET Splunk TA - Proxy settings

by in All Apps and Add-ons
‎05-05-2020 03:24 AM
‎05-05-2020 03:24 AM
Hello, I managed the change of the proxy with following modification in $SPLUNK_HOME/etc/apps/TA-etintel/bin/update_repdata.py - Original script - def make_url(authcode, fname): url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format( authcode, fname) request = Request(url) request.set_proxy('http://<your_proxy>:<your_port>','http') logger.debug("Version is %s", VERSION) agent = "ET-SPLUNK-TA (" + VERSION + ")" logger.debug("User-agent is %s", agent) request.add_header("User-agent", agent) return request - Modified script (adding "request.set_proxy" below line 104) - def make_url(authcode, fname): url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format( authcode, fname) request = Request(url) request.set_proxy('http://<your_proxy>:<your_port>','http') logger.debug("Version is %s", VERSION) agent = "ET-SPLUNK-TA (" + VERSION + ")" logger.debug("User-agent is %s", agent) request.add_header("User-agent", agent) return request Thank you. ... View more

Proofpoint - ET Splunk TA - Proxy settings

by in All Apps and Add-ons
‎03-30-2020 02:08 AM
‎03-30-2020 02:08 AM
Hello, I've installed Proofpoint - ET Splunk TA v1.1.5 on Splunk Enterprise v7.2.9.1 and I need to configure a Proxy for exit on Internet. - Issue: I need to use a Proxy for exit on Internet, and when I set Proxy globally on OS, I can contact all sites, but Proofpoint - ET Splunk TA cannot contact Proofpoint API through Proxy, I assume that App contact Proofpoint API directly. After some debugging, I've seen line 101 on $SPLUNK_HOME/etc/apps/TA-etintel/bin/update_repdata.py file that reports def make_url(authcode, fname): url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format( authcode, fname) request = Request(url) logger.debug("Version is %s", VERSION) agent = "ET-SPLUNK-TA (" + VERSION + ")" logger.debug("User-agent is %s", agent) request.add_header("User-agent", agent) return request I want to know how to setup Proxy lines into the script for exit Internet. I suggest to make a modification on next App version, and add option to allow the user to modify Proxy Settings through App Web Interface on Splunk. Any suggestion for quick resolve with a WA? Regards ... View more

Re: Shodan App, Proxy and Query Rate Limit

by in All Apps and Add-ons
‎06-12-2019 07:52 AM
‎06-12-2019 07:52 AM
The WA works like a charm and fixes the second issue. I also suggest you to add some detailed documentation about App, to better understand all the functionalities. Thank you for quick WA and for this awesome App. ... View more

Shodan App, Proxy and Query Rate Limit

by in All Apps and Add-ons
‎06-12-2019 03:33 AM
‎06-12-2019 03:33 AM
Hello, I've installed Hurricane Labs App for Shodan v2.0.1 on Splunk Enterprise v7.2.4 and I've found some issues in App usage and functionality. - First Issue: I need to use a Proxy for exit on Internet, and when I set Proxy globally on OS, I can contact all sites, but Shodan App cannot contact Shodan API through Proxy, App contact Shodan API directly (I've done some tcpdumps to hit the problem). After some debugging, I've found the issue and modified line 173 on $SPLUNK_HOME/etc/apps/Hurricane_Labs_App_for_Shodan/bin/shodan/client.py file that reports def __init__(self, key, proxies=None): """Initializes the API object. :param key: The Shodan API key. :type key: str :param proxies: A proxies array for the requests library, e.g. {'https': 'your proxy'} :type proxies: dict """ now I can contact Shodan API through Proxy. I suggest to make a modification on next App version, and add option to allow the user to modify Proxy Settings through App Web Interface on Splunk. - Second Issue: I need to add several subnets starting from /24 ending to /29, and after adding almost 20 subnets on "Configure Subnets" section, I receive a message that indicate the App cannot sync with Shodan: No IPs to use. Add an IP above. So I try to execute manual command to force list refresh: | getshodan [|inputlookup shodan_my_subnets | stats values(ipAddress) AS ips | eval netlist=mvjoin(ips, ",") | table netlist] | outputlookup shodan_output and after some seconds it answer with Request rate limit reached: APIError at "$SPLUNK_HOME/etc/apps/Hurricane_Labs_App_for_Shodan/bin/shodan/client.py", line 255 : Request rate limit reached (1 request/ second). Please wait a second before trying again and slow down your API calls. that's a problem, because App don't consider Shodan API Request rate limit, and this is a big problem. Also I suggest to modify next App version with Shodan API Requests rate limit. Any suggestion for quick resolve with a WA? Regards ... View more

"trendmicro" stanza typo in props.conf EVAL-severi...

by in All Apps and Add-ons
‎01-09-2019 08:38 AM
‎01-09-2019 08:38 AM
Hi, I've installed TA-trendmicro_cm_cef (Control Manager) v1.0.2 and splunkd.log reported following warning message WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-severity' in stanza [trendmicro]: The expression is malformed. Expected ). I've analyzed and seen there's a typo in TA default/props.conf EVAL-severity expression, Information word was not quoted correctly EVAL-severity = case(CLF_SeverityCode="0","Unknown", CLF_SeverityCode="1","Information, CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3","Error", CLF_SeverityCode="4", "Critical") I've created a workaround in local/props.conf and pasted corrected strings for above eval expression [trendmicro] KV_MODE = none REPORT-trendmicro_cef = trendmicro_cef REPORT-cefevents = cefHeaders, tmcefKeys, cefKeys EVAL-date = date_month+" "+date_mday+" "+date_year EVAL-action = case((act=="File deleted" OR act=="Unable to upload file" OR act=="File cleaned" OR act=="File quarantined" OR act=="Quarantine successfully" OR act=="Action Required" OR lower(act)=="block" OR act=="File replaced" OR act=="3" OR category=="WB:36" OR ActionResult=="File cleaned" OR act=="2" OR act=="8" OR ActionResult=="Reboot system successfully"), "blocked", (act=="Unable to clean" OR act=="Unable to delete" OR act=="File passed" OR act=="Access Denied" OR act=="Encrypted" OR act=="No action" OR act="1003" OR ActionResult=="Access denied" OR lower(act)=="pass" OR ActionResult=="File passed" OR ActionResult=="Unable to clean file"),"allowed",(act like "%Unable%" OR act like "%Action Required%"), "deferred") EVAL-severity = case(CLF_SeverityCode="0", "Unknown", CLF_SeverityCode="1", "Information", CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3", "Error", CLF_SeverityCode="4", "Critical") EVAL-signature = if(isnotnull(VirusName),VirusName,category_detail) EVAL-sender = case(isnotnull(shost) AND isnotnull(dhost),suser) EVAL-dest_ip = case((isnotnull(shost) AND isnull(dhost)),src,(isnull(shost) AND isnotnull(dhost)),dst) EVAL-dest_host = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost) FIELDALIAS-file_name = fname AS file_name FIELDALIAS-file_path = filePath AS file_path EVAL-product = "TrendMicro" FIELDALIAS-product_version = VLF_PatternNumber AS product_version EXTRACT-act = act=(?P<act>.+?) [\w\d]+= EXTRACT-shost = shost=(?P<shost>.+?) [\w\d]+= EXTRACT-fname = fname=(?P<fname>.+?)\s\w+= EXTRACT-filepath = filePath=(?P<filePath>.+?)\s\w+= EXTRACT-dhost = dhost=(?P<dhost>.+?) [\w\d]+= FIELDALIAS-dest = dhost AS dest FIELDALIAS-dest1 = shost AS dest Is it possible to fix typo in next TA release? Regards ... View more

Re: Why are field aliases not working in the FireE...

by in All Apps and Add-ons
‎01-08-2019 11:37 AM
‎01-08-2019 11:37 AM
Same issue for me on single Splunk v6.6.3 instance (SH and Indexer on single Server) with FireEye App for Splunk Enterprise v3.1.1. If I try search in FireEye App, fieldalias doesn't work, so dashboards not populated correctly. When I try search in Splunk default search App, all fieldalias extracting correctly. I've tried setting global permission on App with no chance. Any suggestion? Regards ... View more

Re: Splunk Add-on for F5 BIG-IP v2.6.0 CIM authent...

by in All Apps and Add-ons
‎11-12-2018 08:18 AM
‎11-12-2018 08:18 AM
Thank you for answer. I'll submit a case to Splunk Support. ... View more

Re: Splunk Add-on for F5 BIG-IP v2.6.0 CIM authent...

by in All Apps and Add-ons
‎11-12-2018 07:51 AM
‎11-12-2018 07:51 AM
Hi walterk82 and thank you for your answer. I try to explain, I think there's another issue, in TA default/eventtypes.conf 61-62 lines there's configured: [f5_bigip_apm_username_received] search = sourcetype="f5:bigip:apm:syslog" ": Username" above stanza recall authentication dataset action in default/tags.conf 117-123 lines: [eventtype=f5_bigip_apm_username_received] network = enabled communicate = enabled session = enabled authentication = enabled default = enabled web = enabled so when I try to searching for tag=authentication the action field was populated in "Access policy result:" rows only, not in "Username" rows with field values "success" or "failure" that are CIM expected values for Authentication datasets for populate Splunk ITSI or Splunk ES Premium Apps. May know a temporary workaround to put in the TA local/props.conf for extract Username success or failure action as expected? Thank you in advance for any help. ... View more

Splunk Add-on for F5 BIG-IP v2.6.0 CIM authenticat...

by in All Apps and Add-ons
‎11-09-2018 02:05 PM
‎11-09-2018 02:05 PM
Hello, I've installed Splunk Add-on for F5 BIG-IP v2.6.0 and Splunk Common Information Model (CIM) v4.12.0 on Splunk Enterprise 6.6.3 when I try to search authentication logs for apm (F5 VPN) index="f5" sourcetype="f5:bigip:apm:syslog" tag=authentication authentication actions field reports allowed or blocked on Access Policy logs only (not in Username logs), instead of success or failure that CIM authentication dataset documentation reports. Below log example Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490500:5: /Common/ap_web_auth:Common:85157209: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.172 Listener /Common/ap_web_auth_vs (Reputation=Unknown) Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490506:5: /Common/ap_web_auth:Common:85157209: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0). Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490500:5: /Common/Network_Access_02:Common:8c6be305: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.174 Listener /Common/Network_Access_02_vs (Reputation=Unknown) Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490506:5: /Common/Network_Access_02:Common:8c6be305: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0). Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490248:5: /Common/Network_Access_02:Common:8c6be305: Received client info - Hostname: Type: IE Version: 8 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0 Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490102:5: /Common/Network_Access_02:Common:8c6be305: Access policy result: Full Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490005:5: /Common/Network_Access_02:Common:8c6be305: Following rule 'fallback' from item 'Resource Assign' to ending 'Allow' Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490128:5: /Common/Network_Access_02:Common:8c6be305: Webtop '/Common/Network_Access_02_webtop' assigned Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490008:5: /Common/Network_Access_02:Common:8c6be305: Connectivity resource '/Common/Network_Access_02_na_res' assigned Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490010:5: /Common/Network_Access_02:Common:8c6be305: Username 'uuu' Anyone experienced same issue? Thank you in advanced for any help. ... View more

Re: Why does migrating universal forwarder to 6.4....

by in Getting Data In
‎03-17-2017 03:04 AM
‎03-17-2017 03:04 AM
Ok I did the trick! Forwarder Upgrade with no custom options create Splunk_TA_windows that override my "domain_controller" app under UF path "$SPLUNK_HOME\etc\apps", I ran btool command and output following result: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog so I've uninstalled UF and reinstalled with "Customize Options" and uncheck all flags under "Windows Event Logs", after installation I've checked that "Splunk_TA_windows" directory that not exists under "$SPLUNK_HOME\etc\apps" then Start SplunkUniversalForwarder Service, Deployment Server pushed configurations to Deployment Client and now I receive logs. Thx all for support!!! ... View more

Re: Why does migrating universal forwarder to 6.4....

by in Getting Data In
‎03-17-2017 01:53 AM
‎03-17-2017 01:53 AM
No override, local directory is empty. ... View more

Re: Why does migrating universal forwarder to 6.4....

by in Getting Data In
‎03-17-2017 01:52 AM
‎03-17-2017 01:52 AM
Ok I'll try to execute above command and paste output. ... View more

Re: Why does migrating universal forwarder to 6.4....

by in Getting Data In
‎03-16-2017 02:16 PM
‎03-16-2017 02:16 PM
I know that events going to new index that not exists, but my trouble is another. I've plain Splunk Enterprise Core, no TA, my issue is particular because before with SUF 5.0.2 to Indexer 6.4.1 Windows Event Log was Forwarded, after "clean" upgrade to SUF 6.4.3 Forwarder stop to send Event Log to Indexer 6.4.1. Before SUF upgrade Event Logs were going to "main" index with no explicit declaration in inputs.conf, so I've tried to configure explicitly the previous used index in inputs.conf and reload serverclasses with no success, and I don't need to create new index because prior upgrade this worked. In Preproduction Environment all works fine and SUF forward events log to Indexer. I hope I explained myself. ... View more

Why does migrating universal forwarder to 6.4.3 di...

by in Getting Data In
‎03-16-2017 12:34 PM
‎03-16-2017 12:34 PM
Hi all, I've 3 Splunk 6.4.1 Indexers and a Splunk 6.4.1 Search Head + Distributed Management Console (DMC) on Linux Red Hat 6.6. I've tested Windows Event Log in Windows 2008 R2 Domain Controller Servers in Preproduction environment with 1 Splunk 6.4.1 Indexer + Search Head + DMC, forwarded Event Logs all ok. I've migrated Splunk Universal Forwarder (SUF) in Production from 5.0.2 to 6.4.3 with clean Installation (Uninstall SUF 5.0.2, Reboot Server and Reinstall SUF 6.4.3), and before with SUF 5.0.2 Windows Events was forwarded with no problem, after SUF Clean Upgrade to 6.4.3 I receive once following message: Received event for unconfigured/disabled/deleted index='wineventlog' with source='source::WinEventLog:Security' host='host::my-host' sourcetype='sourcetype::WinEventLog:System' (1 missing total) and Event Logs stopped to be forwarded. I haven't changed configuration on my Indexers and Search Head, below my configuration: $SPLUNK_HOME/etc/system/local/serverclass.conf List item [serverclass:domain_controller] host = my-dc-host [serverclass:domain_controller:app:domain_controller] * $SPLUNK_HOME/etc/deployment-apps/domain_controller/default/inputs.conf [WinEventLog://Security] disabled = 0 (I've also tried to add "index = main" on bottom of above stanza with no results). And other configurations to send logs globally from deployment clients to deployment server... I've tried to uninstall and reinstall SUF 6.4.3, but no issue resolved, I've also read all Splunk Answers on same problem, but before SUF upgrade Windows Event Logs was Forwarded with no problem, and in Preproduction all works fine. Any suggestion? Regards. ... View more
Contact Me
Karma from
View All
Karma given to
View All