(I'm new to splunk )
Environment: Splunk 7.1 / RHEL6.5
I have create my own log file for test purposes / learning (its like a syslog log) and I can see the data in splunk. But when I try to create an index for it I get the error below, does anyone know what could be causing this ?
Data could not be written: /nobody/search/indexes/testosboot/thawedPath: $SPLUNK_DB/testosboot/thaweddb
Cold and Thawed paths aren't pointing to /var/splunkdata/security, at least the screenshot doesn't indicate it is. Those paths still make use of $SPLUNK_DB, which isn't discernible from what was posted.
You may need to define cold and thawed path explicity, unless $SPLUNK_DB is set to something that makes sense (has sufficient space and is writeable by the splunk user).
thanks I did checked the permissions, and it was correct as I could write to the folder as the user , I uninstalled it all, rebooted, reinstalled 7.1 and after it was ok... (so I must have made a mistake somewhere and did have version 7.0 installed, which I uninstalled but did not reboot)
thanks for the pointers