Splunk Enterprise Security

Error when upgrading to Splunk Enterprise Security 6.0

hettervik
Builder

Hi.

I have some problems upgrading to Splunk ES 6.0. Normally I've just done the upgrade in the UI, no problem. However, this time, after I've uploaded the spl-file, checked the "upgrade" check box, and clicked "install", the browser just takes me to an error page. I've tried both Chrome, Firefox and IE. Chrome says "This site can't be reached" and Firefox says "Secure connection failed". Also I've tried installing the spl-file with the CLI install command ./splunk install app <file.spl> -update 1. I don't know if this is supported for Spunk ES, but I tried anyways. Though I get an error message here as well, "Error during app install: failed to extract app from long-file-path: No such file or directory".

Anyone have an idea on how to troubleshoot this, or know any possible fixes?

Alternatively, is there any guide on how to install Splunk ES "manually" by extracting it to the app directory? I've tried this as well, but I get a lot of errors regarding DAs and SEs being in the wrong version, so I guess I would have to upgrade all of these add-ons manually as well, but I'm not sure if this method of upgrading Splunk ES is okay.

1 Solution

hettervik
Builder

I found a workaround. I extracted the spl-file and copied the whole app directory for Splunk ES SplunkEnterpriseSecuritySuite over to my Splunk ES server, and moved it into the app folder, writing over the existing Splunk ES app. Then I ran the Splunk ES install command in the web GUI search bar (which I didn't know existed before just now). First a dry run | essinstall --dry-run, and then the actual run, skipping all TAs | essinstall --skip-ta *.

More information on the essinstall command can be found here: https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity#Install_Splunk_Ente...

View solution in original post

andsov
Explorer

We also experienced the same error message when upgrading to 6.4.1. 

I tried to run the same SPL as you

| essinstall --skip-ta * 

 
Which returned:
Image Pasted at 2021-2-10 11-36.png

So i think that "--skip-ta" might be deprecated. But the following worked for me at least:

| essinstall --ssl_enablement auto

ryansaunders
Explorer

This appears to be caused by the max_upload_size parameter being set too low. Splunk's default max_upload_size is 500, which is smaller than the ES 6.0 installer.

Increase the max_upload_size parameter in web.conf and this should clear up for you.

See step 2 of the installation instructions here: https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity

melnapoles
Engager

It looks like this has been a known issue recorded in the ES v6.0 release notes. Check out issue number SOLNESS-14637 and a listed workaround here: https://docs.splunk.com/Documentation/ES/6.0.0/RN/KnownIssues.

hettervik
Builder

Actually the issue you're referring to seems to be another issue. The problem I had was that I was not able to upload the Splunk ES .spl install file in the first place. Other Splunk install files still worked.

0 Karma

hettervik
Builder

I found a workaround. I extracted the spl-file and copied the whole app directory for Splunk ES SplunkEnterpriseSecuritySuite over to my Splunk ES server, and moved it into the app folder, writing over the existing Splunk ES app. Then I ran the Splunk ES install command in the web GUI search bar (which I didn't know existed before just now). First a dry run | essinstall --dry-run, and then the actual run, skipping all TAs | essinstall --skip-ta *.

More information on the essinstall command can be found here: https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity#Install_Splunk_Ente...

mwyman_splunk
Splunk Employee
Splunk Employee

For version ES 6.4.1, we were able to pass an argument to ignore the ssl_enablement and the installer worked correctly on our search head deployer.    The command was:  splunk search '| essinstall --deployment_type shc_deployer --ssl_enablement ignore' -auth admin:<pwd>

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...