Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

After editing Indexes.conf: Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured

vanderaj1
Path Finder
‎11-25-2015 08:08 PM

I was receiving the following messages on my search head, coming from one of my search peers:

Search peer has the following message: blockSignSize defined in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove all blockSignSize and blockSignatureDatabase (if present) keys from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.

Search peer has the following message: Found stanza=_blocksignature in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.

So I went into /opt/splunk/etc/system/local on my search peer and removed the references to blockSignSize and blockSignatureDatabase, as well as the _blocksignature stanza. I then restarted splunkd. However, splunkd won't come up now.

When I try to start splunkd, I now get the following error:

Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured
Validating databases (splunkd validatedb) failed with code '1'.

Any idea what has caused this to happen?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎11-26-2015 05:44 AM

It seems you have deleted more then just the _blocksignature related parameters. Block signature was removed from 6.3, so this error is expected and you need to remove the index configuration. Are you working in a clustered or stand alone environment? You need to fix your indexes.conf

For _audit, this is the default:

[_audit]
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary

But that is configured from $splunk_home/etc/system/default/indexes.conf. You shouldnt be editing that file..

Reply

vanderaj1
Path Finder
‎11-27-2015 01:24 PM

Very strangely, my $splunk_home/etc/system/default/indexes.conf. is missing all the tstatsHomePath entries. But I definitely know not to edit that file (big no-no). I have no idea how those entries are missing.

Just this once, would it be permissible to add the tstatsHomePath entries to the default indexes.conf file, or would that make my situation even worse?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...