Splunk Enterprise Security

Failed to execute KV Store lookup

Prakhar_shukla
Path Finder

Since i upgrdaed splunk enterprise to 5.5.3 and installed Enterprise security app, i am getting following error continuously in splunkd.log.

Failed to execute KV Store lookups: External command based lookup 'action_history_lookup' is not available because KV Store initialization has not completed yet. Please try again later.
04-25-2017 12:27:02.312 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

and some other failed external commands.

0 Karma
1 Solution

Prakhar_shukla
Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

View solution in original post

0 Karma

Prakhar_shukla
Path Finder

i have upgraded the splunk ES version to 4.7 and it seems to fixed the issue

0 Karma

LukeMurphey
Champion

Do you see anything that may indicate problems with MongoDB? You can see the logs with the following search:

index=_internal sourcetype=mongod
0 Karma

Prakhar_shukla
Path Finder

it seems normal. Error is coming since i upgraded Enterprise and installed ES

04-26-2017 09:06:02.289 +0200 ERROR KVStoreLookup - Failed to create lookup context
04-26-2017 09:06:02.289 +0200 ERROR SearchOperator:inputcsv - Error in 'inputlookup' command: External command based lookup 'correlationsearches_lookup' is not available because KV Store initialization has not completed yet. Please try again later.

0 Karma

krish3
Contributor

Give it sometime to run datamodels and lookup builds to complete.

0 Karma

Prakhar_shukla
Path Finder

its been 3 days, after installation i did nothing in ES or splunk

0 Karma

krish3
Contributor

Try running this search and post the output:

|rest /services/server/info|table host kvStoreStatus

Prakhar_shukla
Path Finder

KvStorestatus is starting for both the serach head.

0 Karma

krish3
Contributor

Did you have a look at this case and check for permission for KVstore files & certificates?

The status of KVstore should be "ready".

0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...