I was receiving the following messages on my search head, coming from one of my search peers:
Search peer has the following message: blockSignSize defined in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove all blockSignSize and blockSignatureDatabase (if present) keys from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.
Search peer has the following message: Found stanza=_blocksignature in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.
So I went into /opt/splunk/etc/system/local on my search peer and removed the references to blockSignSize and blockSignatureDatabase, as well as the _blocksignature stanza. I then restarted splunkd. However, splunkd won't come up now.
When I try to start splunkd, I now get the following error:
Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured
Validating databases (splunkd validatedb) failed with code '1'.
It seems you have deleted more then just the _blocksignature related parameters. Block signature was removed from 6.3, so this error is expected and you need to remove the index configuration. Are you working in a clustered or stand alone environment? You need to fix your indexes.conf
Very strangely, my $splunk_home/etc/system/default/indexes.conf. is missing all the tstatsHomePath entries. But I definitely know not to edit that file (big no-no). I have no idea how those entries are missing.
Just this once, would it be permissible to add the tstatsHomePath entries to the default indexes.conf file, or would that make my situation even worse?