I have no idea where this message is coming from. I see the subject message in the WebUI but when I restart splunk it tells me all is OK. Here is the output from a restart:
[dev]root@ip-10-94-18-55:/opt/splunk/etc/users:#/opt/splunk/bin/splunk restart Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. ............. [ OK ] Stopping splunk helpers... [ OK ] Done. Splunk> Needle. Haystack. Found. Checking prerequisites... Checking http port : open Checking mgmt port : open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port : open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _internal _introspection _telemetry _thefishbucket aws_anomaly_detection aws_topology_daily_snapshot aws_topology_history aws_topology_monthly_snapshot aws_topology_playback aws_vpc_flow_logs history main summary Done Bypassing local license checks since this instance is configured with a remote license master. Checking filesystem compatibility... Done Checking conf files for problems... Invalid key in stanza [ui] in /opt/splunk/etc/apps/SA-ge_splunk_health/local/app.conf, line 12: version (value: 1.0). Invalid key in stanza [calendar_heatmap] in /opt/splunk/etc/apps/calendar_heatmap_app/default/visualizations.conf, line 6: supports_drilldown (value: True). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug' Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunk/splunk-6.5.2-67571ef4b87d-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done [ OK ] Waiting for web server at https://127.0.0.1:8000 to be available................. Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at https://ip-10-94-18-55:8000
I ran the REST API call to https://10.94.18.55:8089/services/server/status/installed-file-integrity and it tells me that the file /opt/splunk/etc/users/users.ini has been modified. What am I missing here?
ANy help is MUCH apprecaietd as this is very annoying.
The file is /opt/splunk/etc/users/users.ini that it is complaining about.
go to a fresh Splunk instance, copy /opt/splunk/etc/users/users.ini from the fresh instance to yours, be sure to keep the file modified times ... restart.
this will go away
WHen I do this splunk complains about the missing [contrains-uppercase] section. So unfort this did not work.
[contains-uppercase] 212631038" = 212631038_.7c4b2bdd6b5f9690f1813a7ab9d6e76a 212611170" = 212611170_.d3b52ce6b4e8fdfbf8ec32f6d9f015ba
on my Splunk 6.5.1 Linux box, users.ini is empty:
0 -r--r--r--. 1 splunk splunk 0 Nov 18 2016 users.ini