All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you update the checksum for a changed system file in the InstalledFilesHashChecker

davidmills
Explorer
‎11-20-2018 10:11 PM

http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Iplocation describes how to obtain updated IP location data. I have set a up a process to update /opt/splunk/share/GeoLite2-City.mmdb with the latest every month.

But then on a restart, we get messages complaining about this change:

11-21-2018 06:07:40.843 +0000 WARN  InstalledFilesHashChecker - An installed file="/opt/splunk/share/GeoLite2-City.mmdb" did not pass hash-checking due to reason="content mismatch"

I tried updating the checksum in splunk-6.5.3-36937ad027d4-linux-2.6-x86_64-manifest to match the new file - but to no avail. How do I let Splunk know that the new copy of GeoLite2-City.mmdb is OK?

Ours is a Search Head and Index cluster Enterprise edition - 6.5.3.

Tags (1)
0 Karma
Reply

davidmills
Explorer
‎11-20-2018 10:23 PM

I might have been too smart for my own good. I made a copy of splunk-6.5.3-36937ad027d4-linux-2.6-x86_64-manifest to splunk-6.5.3-36937ad027d4-linux-2.6-x86_64-manifest-20181121. It looks like this was getting checked as well.

After removing it (or rather moving elsewhere) and restarting I am yet to see another complaint. Possibly just looking too early.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...