Installed Splunk 5.0.1 on Gentoo Linux (x64). Execute "/opt/splunk/bin/bloom" and get the error message:
/opt/splunk/bin/splunkd: error while loading shared libraries: libpcre.so.0: cannot open shared object file: No such file or directory
Manually added a symbol link from /usr/lib64/libpcre.so to /usr/lib64/libpcre.so.0 and execute bloom again. Get the error message:
/opt/splunk/bin/splunkd: error while loading shared libraries: /usr/lib64/libpcre.so.0: invalid ELF header
Is the error coming from the os library or the bloom utility?
Why are you trying to use the bloom utility? You shouldn't be trying to use this at the moment.
As per the known issues;
•The $SPLUNK_HOME/bin/bloom utility is unsupported and creates duplicate buckets in the warm and cold directories of an index. Splunk does not recommend using this utility. (SPL-50742)
If you have a particular problem, throw it up here and we'll see if theres another way to fix it or if its alright 🙂
We configure indexes.conf and put bloom filter in separate volume (a SSD to accelerate searching). How to rebuild the bloom filter once the volume has crashed without bloom utility?
We find the bloom utility can work fine if we use splunk cmd to execute it.
$SPLUNK_HOME/bin/splunk cmd bloom
The same libpcre.so.0 error occur when we execute btool utility directly on Gentoo Linux (x64). The above libpcre.so.0 error will not be triggered on Mac OS X.
Just to be clear, my post below was unrelated to your error. The bloom command is still unsupported, however it is called, as it is currently causing damage to bloom filters and should not be used.
Its a big product and there are a lot of elements to it, I expect it was still either being tested or a bug was found after release with it. It is listed in the known issues that all customers read before installing, however, so it is at least well publicised.
For your reference, the btool has the same situation. Execute btool directly come out the libpcre.so.0 error. Using splunk cmd to call btool works fine. So, the btool should be supported by splunk, right?