Hi All, We are getting this below message in our search head portal. We are using cluster search heads and splunk version 6.6.1
Search peer test.xxxx.com has the following message: Installed Files Integrity Checker: File Integrity checks found 1 files that did not match the system-provided manifest. Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View ; potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem.
Kindly let me know how to fix this issue, I am very much new to this so not sure where to find the problem and troubleshoot the issue.
thanks in advance.
Check the accepted answer for this one. I had a similar problem recently on a SHC. But in any case this will help you find the file that is not passing integrity checks.
Basically is says go here, host by host.
Hi Duke, I tried the URL which you had shared in the above comment by updating the URL with my splunk but It did not respond, instead I got the message as "This site can't be reached"
Kindly guide me in this to resolve the issue.
thanks in advance.
Duke, we could see this details, when we click the link from "Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View " and its directing to a Integrity check of installed files on this page under "List of installed files presenting integrity check failures"
File Path and check results differs.
kindly let me know how to fix this issue.
Ok, so for this one you have edited a default file. As with so many things splunk, never edit /default/filename. Instead, edit /local/filename.
So in your case, copy the default.xml file from
You may have to make the directories.. not sure.
Then extract the contents of a Splunk install for your version, dig out the default.xml file, and put it back in
Or copy it from another server that is not failing the integrity check.
You may have to do some comparing on the files, to see if the xml file has changes worth keeping or if it's just an older version of the file.
Hi Duke, thanks for putting your effort on this, we have checked below path and found only views directory under ui folder.
Unlike in the default folder we could see the some additional directories in it.
and we could see the content of the default.xml is configured in all the 3 searched head cluster under the same path. The content of the default.xml is configured to direct the link to our wiki article from the splunk web console.
How to extract the contents of a splunk install for my version 6.6.1 and diag out the default.xml file from it. And also in this case do we need to copy all the folders from default directory to local directory. Kindly guide me.
Thanks in advance.
You will need to get the linux .tgz splunk file for your version, and extract it to a temporary location. Then using linux cp command to put the file default.xml where it needs to go.
You tar command will look something like this.
tar zxf splunk-xxxxxxx-Linux-x86_64.tgz -C /tmp/
OR.. Extract it using winrar on a Windows box, and use a tool like winscp to copy the files around that way.
Hi Duke, thanks for your effort on this, I have checked another splunk instance which is running with the same build version 6.6.1 as the search head cluster instance. This particular instance is used as Deployment server and when verified the file/ path /opt/splunk/etc/apps/search/default/data/ui/nav/deafult.xml found the below details, hope this should be the default file.
My question can I follow the below steps:
Step 1) Need to back up the default.xml file which is present in the search head cluster.
Step 2) Next need to copy the default.xml from Deployment server to the search head cluster paste it under the below location.
Step 3) The default.xml file which was backup from the search head cluster should be placed under the local directory in all the search head cluster environment.
including the below directories taken from /opt/splunk/etc/apps/search/default/data/ui/
step 4) Restart the splunk services.
Kindly guide me whether, I can follow the above steps to fix this issue.