Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Major upgrade fail on ES from version 4.5.2 to 5.0.1. Please help !!!

damode
Motivator
‎12-17-2019 09:13 PM

alt text

After I installed the ES app, I got the error as shown in the attached picture.
On the ES upgrade page, I noticed it mentions about If you do not run the setup procedure promptly after the file upload completes, Enterprise Security displays errors.
To fix this, I restarted Splunk, but on the cli, it came up with a whole heap of errors, such as below, which is just an extract of the errors.

 Invalid key in stanza [identityLookup] in /opt/splunk/etc/apps/SA-IdentityManagement/local/identityLookup.conf, line 6: eai:appName  (value:  SA-IdentityManagement).
                Invalid key in stanza [identityLookup] in /opt/splunk/etc/apps/SA-IdentityManagement/local/identityLookup.conf, line 7: eai:userName  (value:  nobody).
                Invalid key in stanza [nav_collection:ess_security_intelligence] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/managed_configurations.conf, line 83: nav_collection_status     (value:  old).
                Invalid key in stanza [nav_collection:ess_security_intelligence] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/managed_configurations.conf, line 120: nav_collection_data      (value:

UPDATE : additional info - Before this, I had just upgraded Splunk SH from 6.5.2 to 6.6.1. There was no issue after this upgrade.

Please advise how I can fix this.

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎12-21-2019 06:40 AM

Did you check the compatability of that version of ES with that version of Splunk?

0 Karma
Reply

damode
Motivator
‎12-17-2019 09:14 PM

after restarting, ES app just shows a blank page after clicking the "Set up" option.

0 Karma
Reply

martynoconnor
Communicator
‎12-21-2019 05:06 AM

Is this Linux or Windows? If Linux and the permissions were not set correctly you may have only partially upgraded and may be running a Frankenstein's ES at the moment. If it is as simple as that, a chown -R splunk:splunk /opt/splunk (assuming that's the account and location that match your environment) and a second attempt at install should fix things.

If not...

What does it say in Splunkd.log? Look for ERROR or WARN messages there. Also in $SPLUNK_HOME/var/log/splunk/ you should have a file called (if memory serves) ess2_installer.log or maybe ess_installer2.log, can you look there and post the last 100 lines or so?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...