We had to change parts of Splunk that changed the manifest, and Splunk always complains that the manifest is different. I'd like to re-baseline it if possible, so this warning goes away. I don't have to really worry about updates to Splunk itself, which I know will change the manifest package.
I don't think it will make any difference, but I am using v6.5
We updated /opt/splunk/share/GeoLite2-City.mmdb and started getting these errors.
sha256sum in installed on RHEL so we did this.
Get the new checksum.
Change the checksum in the manafest.
sha256sum /opt/splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37 /opt/splunk/share/GeoLite2-City.mmdb vi /opt/splunk/splunk-*-manifest f 444 splunk splunk splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37 splunk validate files Validating installed files against hashes from '/opt/splunk/splunk-*-manifest' All installed files intact. splunk restart
This is a work around that I already did, but I'm really trying to find a way to regenerate the manifest so that I can have my customizations in place, and it will still check to see if anyone else makes any changes.