Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Index.conf error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, I am setting up a Splunk Dev env. I have one indexer, one SH, and one forwarder. I have uninstalled and reinstalled the Dev Indexer. I am trying to set it up to use two different filesystems as cold/hot data.
The error im receiving when i restart Splunk is
Problem parsing indexes.conf: Cannot load IndexConfig: Cannot create index '_audit': path of homePath must be absolute ('$SPLUNK_HOME/data/audit/db')
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue
Im not sure how to set this up correctly. I reinstalled the indexer so i could fix the mounts and storage.
For the /export/opt/splunk/etc/system.local/indexes.conf, i have something like:
[default]
homePath = $SPLUNK_DB/hot/$_index_name/db
coldPath = $SPLUNK_DB/cold/$_index_name/colddb
For my Splunk_DB, I have tried to set it in the Splunk-Launch.conf, as shown below:
# Version 9.2.0.1
# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
#
SPLUNK_HOME=/export/opt/splunk/
# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var/lib/splunk subdirectory. This can be overridden
# here:
#
SPLUNK_DB=$SPLUNK_HOME/data/
# Splunkd daemon name
SPLUNK_SERVER_NAME=Splunkd
# If SPLUNK_OS_USER is set, then Splunk service will only start
# if the 'splunk [re]start [splunkd]' command is invoked by a user who
# is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
# (This setting can be specified as username or as UID.)
#
# SPLUNK_OS_USER
PYTHONHTTPSVERIFY=0
PYTHONUTF8=1
ENABLE_CPUSHARES=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to solve this halfway through writing this.
For future reference, you cant have the $SPlunk_HOME referenced in the $SPLUNK_DB. At least for me, the server hadnt restarted and updated the value, so it didnt recognize it.
I had to set the path manually,
$SPLUNK_DB=/export/opt/splunk/data
Don't forget to leave the trailing / out.
The you can have your indexes.conf look like:
homePath = $SPLUNK_DB/hot/$_index_name/db coldPath = $SPLUNK_DB/cold/$_index_name/colddb
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to solve this halfway through writing this.
For future reference, you cant have the $SPlunk_HOME referenced in the $SPLUNK_DB. At least for me, the server hadnt restarted and updated the value, so it didnt recognize it.
I had to set the path manually,
$SPLUNK_DB=/export/opt/splunk/data
Don't forget to leave the trailing / out.
The you can have your indexes.conf look like:
homePath = $SPLUNK_DB/hot/$_index_name/db coldPath = $SPLUNK_DB/cold/$_index_name/colddb
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
