Splunk Enterprise Security

Issues after upgrading Splunk Enterprise security to 5.3

ranjitbrhm1
Communicator

Good Day All,
I recently upgraded my ES running on a linux box to 5.3. The update went smooth but once the update got finished the investigation tab shows Unexpected token < in JSON at position 0
The incident review shows
External handler failed with code '1' and output: ". See splunkd.log for stderr output.
The content management site shows something about cannot access lookup table as i dont remember exactly what the error is.
The splunkd.log seems to be showing a lot of errors about python 2.4. The site being secure i cannot directly copy the logs out from the server. Has anyone ran into the above listed errors upgrading to splunk ES 5.3?
Thanks

0 Karma
1 Solution

ranjitbrhm1
Communicator

I am actually not sure what fixed my issue but it might be one of the below steps or both.
1. Once the upgrade is completed there are a couple of tasks that have to be done like deleting some files from the ES directory. It is documented in the splunk docs under upgrade of ES. Complete those steps.
2. Completely upgrade your splunk instance to the latest version. Once done, restart the whole instance and the errors will go away.
Thanks

View solution in original post

0 Karma

ranjitbrhm1
Communicator

I am actually not sure what fixed my issue but it might be one of the below steps or both.
1. Once the upgrade is completed there are a couple of tasks that have to be done like deleting some files from the ES directory. It is documented in the splunk docs under upgrade of ES. Complete those steps.
2. Completely upgrade your splunk instance to the latest version. Once done, restart the whole instance and the errors will go away.
Thanks

0 Karma

ssattler
Path Finder

same problem, I am going to open a support ticket to get it working.

0 Karma

ssattler
Path Finder

you have to copy over a .py file that support gives you.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Did you clear the web browser cache after the upgrade? Do you see any errors in splunkd.log? Did the upgrade complete and all supporting add-ons were successfully updated?

Please share the troubleshooting steps you took after identifying these errors 🙂

0 Karma

ranjitbrhm1
Communicator

I didnt clear the browser cache actually. I tried moving the ES to disabled folders, reinstalled the splunk ES app and its the same error. Being a secure site i couldnt copy out the exact logs from the splunkd log. I remember the SA apps and the DA apps complaining about python repeating on the log file every time i try to access the tabs.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...