All Apps and Add-ons

Why is my KV store not being initializing after new app install?

scottrunyon
Contributor

After migrating from OSSEC to Wazuh , I installed the Wazuh app ver. 3.10.2. When starting the app, the API screen comes up with the message - "Kv Store is being initialized please wait some seconds and try again later." I has been a few days and the KV store is still not there.

What do I need to do to get the KV store initialized?

System details - single instance running Splunk Enterprise 7.3.0

Regards,

Scott

0 Karma
1 Solution

ivanreis
Builder

I never deployed this app before. I did a quick search and it is possible the Wazuh app ver. 3.10.2 that was deployed is for Splunk 8.0.
At this link you have the Wazuh app version to deploy to Splunk 7.3.0 -> https://github.com/wazuh/wazuh-splunk

I suggest to remove the current installation of Wazuh app and start splunk to make sure the kvstore is properly initialised, deploy the Wazuh app for Splunk 7.3.0 or you can troubleshoot the kvstore to identify the issue following this procedure.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/TroubleshootKVstore.

Also recommend you can run a backup of the kvstore once it is properly initialised to avoid lose data.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/BackupKVstore

And as the last try, I will try to resync the kvstore, but you can lose all the data that is kvstore, so be carefully if you choose this option, make sure you back it first.

View solution in original post

0 Karma

ivanreis
Builder

I never deployed this app before. I did a quick search and it is possible the Wazuh app ver. 3.10.2 that was deployed is for Splunk 8.0.
At this link you have the Wazuh app version to deploy to Splunk 7.3.0 -> https://github.com/wazuh/wazuh-splunk

I suggest to remove the current installation of Wazuh app and start splunk to make sure the kvstore is properly initialised, deploy the Wazuh app for Splunk 7.3.0 or you can troubleshoot the kvstore to identify the issue following this procedure.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/TroubleshootKVstore.

Also recommend you can run a backup of the kvstore once it is properly initialised to avoid lose data.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/BackupKVstore

And as the last try, I will try to resync the kvstore, but you can lose all the data that is kvstore, so be carefully if you choose this option, make sure you back it first.

0 Karma

scottrunyon
Contributor

Looking at the app configs, I noticed that under /default/package.conf, there is a stanza -

[splunk]
version = 8.0.0

I am running 7.3.0, If I override this parameter, will it help?

0 Karma

ivanreis
Builder

I never deployed this app before. I did a quick search and it is possible the Wazuh app ver. 3.10.2 that was deployed is for Splunk 8.0.
At this link you have the Wazuh app version to deploy to Splunk 7.3.0 -> https://github.com/wazuh/wazuh-splunk

I suggest to remove the current installation of Wazuh app and start splunk to make sure the kvstore is properly initialised, deploy the Wazuh app for Splunk 7.3.0 or you can troubleshoot the kvstore to identify the issue following this procedure.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/TroubleshootKVstore.

Also recommend you can run a backup of the kvstore once it is properly initialised to avoid lose data.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/BackupKVstore

And as the last try, I will try to resync the kvstore, but you can lose all the data that is kvstore, so be carefully if you choose this option, make sure you back it first.

0 Karma

scottrunyon
Contributor

I did find the app for 7.3.0 and now have it installed. I am now getting the API config screen.

ivanreis, if you would place your response as and answer, I would like to vote it as an answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...