Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to fix the missing spec file errors?

kasia24
New Member
‎04-24-2015 08:05 AM

Hi,

I currently have four instances of Splunk, which are synchronised on a daily basis (the first instance pushes updates to the rest).

A couple of days ago I noticed that the regex for two extracted fields have changed somehow so the searches wouldn't work anymore. When I altered the regex for them, everything worked fine until the next day - I realised that the changes have completely reverted after splunk service restarted. I also found these error messages when I ran "./splunk btool check --debug " (there are more of them, for all splunk users):

No spec file for: /opt/splunk/etc/apps/user-prefs/default/user-
No spec file for: /opt/splunk/etc/system/default/conf.conf
No spec file for: /opt/splunk/etc/system/default/datatypesbnf.c
No spec file for: /opt/splunk/etc/system/default/default-mode.c
No spec file for: /opt/splunk/etc/system/default/prefs.conf

Not sure if that's the reason for why changes are not saved or if it's just a separate issue, but I would still like to fix these.

Can anyone help, please?

What are spec files and could I possibly recover them if they were lost maybe, etc?

Thank you and have a great weekend 🙂

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎04-24-2015 10:06 AM

I suspect that your "synchronization" is broken. What do you mean by that?

The files that you show are basic configuration files that your splunk instance needs. In particular the files in the /opt/splunk/etc/system/default directory are important and should not be changed.

If you are attempting to replicate changes between Splunk instances, you should leave the default directories alone.
As for how to recover, you could restore them from a backup if you have one. Or you could reinstall Splunk.
Depending on how badly the synchronization has damaged your Splunk instances, reinstallation might be the best route to a stable and correct Splunk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...