Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

After editing Indexes.conf: Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured

vanderaj1
Path Finder
‎11-25-2015 08:08 PM

I was receiving the following messages on my search head, coming from one of my search peers:

Search peer has the following message: blockSignSize defined in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove all blockSignSize and blockSignatureDatabase (if present) keys from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.

Search peer has the following message: Found stanza=_blocksignature in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.

So I went into /opt/splunk/etc/system/local on my search peer and removed the references to blockSignSize and blockSignatureDatabase, as well as the _blocksignature stanza. I then restarted splunkd. However, splunkd won't come up now.

When I try to start splunkd, I now get the following error:

Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured
Validating databases (splunkd validatedb) failed with code '1'.

Any idea what has caused this to happen?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎11-26-2015 05:44 AM

It seems you have deleted more then just the _blocksignature related parameters. Block signature was removed from 6.3, so this error is expected and you need to remove the index configuration. Are you working in a clustered or stand alone environment? You need to fix your indexes.conf

For _audit, this is the default:

[_audit]
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary

But that is configured from $splunk_home/etc/system/default/indexes.conf. You shouldnt be editing that file..

Reply

vanderaj1
Path Finder
‎11-27-2015 01:24 PM

Very strangely, my $splunk_home/etc/system/default/indexes.conf. is missing all the tstatsHomePath entries. But I definitely know not to edit that file (big no-no). I have no idea how those entries are missing.

Just this once, would it be permissible to add the tstatsHomePath entries to the default indexes.conf file, or would that make my situation even worse?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...