Solved: Not able to create '_introspection' index

thezero · ‎12-01-2015

Hi Team,

I am getting below error message when I am trying to create new index 'introspection'.
Error:
In handler 'indexes': invalid name: '_introspection'. name parameter must be non-empty and cannot start with '' or '-'

Scenario:
We have recently upgraded our heavy weight forwarder and indexer is still running an older version.After HWF upgarded we received few warning messages in GUI like "received event for unconfigured/disabled/deletd index index="_introspection".Now splunk not allowing to create index _introspection.How can I resolve this?Please advise

javiergn · ‎12-02-2015

See if this helps.
Keep in mind you can't manually create new indexes that start with _ because that is reserved for Splunk internal ones. Internal indexes don't count towards the license so it's easy to guess why this is not permitted 🙂

View solution in original post

javiergn · ‎12-02-2015

See if this helps.
Keep in mind you can't manually create new indexes that start with _ because that is reserved for Splunk internal ones. Internal indexes don't count towards the license so it's easy to guess why this is not permitted 🙂

javiergn · ‎12-02-2015

This might help too

Lucas_K · ‎12-01-2015

See if you can create it via a local indexes.conf edit and not via the gui.

This is what it looks like in newer versions.

[_introspection]
homePath = $SPLUNK_DB/_introspection/db
coldPath = $SPLUNK_DB/_introspection/colddb
thawedPath = $SPLUNK_DB/_introspection/thaweddb
maxDataSize = 1024
frozenTimePeriodInSecs = 1209600

I am sure I did exactly this on some older indexers when customers updated their forwarders before we upgraded our own machines.

Not able to create '_introspection' index

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation