We had to change parts of Splunk that changed the manifest, and Splunk always complains that the manifest is different. I'd like to re-baseline it if possible, so this warning goes away. I don't have to really worry about updates to Splunk itself, which I know will change the manifest package.
I don't think it will make any difference, but I am using v6.5
We updated /opt/splunk/share/GeoLite2-City.mmdb and started getting these errors.
sha256sum in installed on RHEL so we did this.
Get the new checksum.
Change the checksum in the manafest.
Validate.
Restart.
sha256sum /opt/splunk/share/GeoLite2-City.mmdb
c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37 /opt/splunk/share/GeoLite2-City.mmdb
vi /opt/splunk/splunk-*-manifest
f 444 splunk splunk splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37
splunk validate files
Validating installed files against hashes from '/opt/splunk/splunk-*-manifest'
All installed files intact.
splunk restart
think you need to set the following in your limits.conf
[system_checks]
installed_files_integrity = disabled
This is a work around that I already did, but I'm really trying to find a way to regenerate the manifest so that I can have my customizations in place, and it will still check to see if anyone else makes any changes.