Splunk Enterprise Security

Issues after upgrading Splunk Enterprise security to 5.3

ranjitbrhm1
Communicator

Good Day All,
I recently upgraded my ES running on a linux box to 5.3. The update went smooth but once the update got finished the investigation tab shows Unexpected token < in JSON at position 0
The incident review shows
External handler failed with code '1' and output: ". See splunkd.log for stderr output.
The content management site shows something about cannot access lookup table as i dont remember exactly what the error is.
The splunkd.log seems to be showing a lot of errors about python 2.4. The site being secure i cannot directly copy the logs out from the server. Has anyone ran into the above listed errors upgrading to splunk ES 5.3?
Thanks

0 Karma
1 Solution

ranjitbrhm1
Communicator

I am actually not sure what fixed my issue but it might be one of the below steps or both.
1. Once the upgrade is completed there are a couple of tasks that have to be done like deleting some files from the ES directory. It is documented in the splunk docs under upgrade of ES. Complete those steps.
2. Completely upgrade your splunk instance to the latest version. Once done, restart the whole instance and the errors will go away.
Thanks

View solution in original post

0 Karma

ranjitbrhm1
Communicator

I am actually not sure what fixed my issue but it might be one of the below steps or both.
1. Once the upgrade is completed there are a couple of tasks that have to be done like deleting some files from the ES directory. It is documented in the splunk docs under upgrade of ES. Complete those steps.
2. Completely upgrade your splunk instance to the latest version. Once done, restart the whole instance and the errors will go away.
Thanks

0 Karma

ssattler
Path Finder

same problem, I am going to open a support ticket to get it working.

0 Karma

ssattler
Path Finder

you have to copy over a .py file that support gives you.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Did you clear the web browser cache after the upgrade? Do you see any errors in splunkd.log? Did the upgrade complete and all supporting add-ons were successfully updated?

Please share the troubleshooting steps you took after identifying these errors 🙂

0 Karma

ranjitbrhm1
Communicator

I didnt clear the browser cache actually. I tried moving the ES to disabled folders, reinstalled the splunk ES app and its the same error. Being a secure site i couldnt copy out the exact logs from the splunkd log. I remember the SA apps and the DA apps complaining about python repeating on the log file every time i try to access the tabs.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...