Getting Data In

Problem indexes.conf splunkd not restarting !

Path Finder

Hello ,

I have a distributed architecture of Splunk SH with Splunk ES and an indexer . I get suddenly this error message on the indexer and it's stopped I had that message error when I restart splunkd service : "Problem parsing indexes.conf: default index disabled - quit! Validating databases (splunkd validatedb) failed with code '1'. Please file a case online at http://www.splunk.com/page/submit_issue" .

Please I need Help ! 😞

Thank you very much for your helps !

0 Karma
1 Solution

Motivator

If you are on Linux, look for this file on your indexer (I assume that you have only one):

/opt/splunk/etc/system/local/indexes.conf

If you are on Windows, look for this:

C:\ or whatever drive and path you used>\Splunk\etc\system\local\indexes.conf

Search for a stanza in that file which begins with this line:

[main]

Inside that stanza you fill probably find a line that say disabled=true. Change that to disabled=false (or add it if it isn't there ) and start your indexer.

View solution in original post

SplunkTrust
SplunkTrust

What error does splunkd.log give?

Take a look under $SPLUNK_HOME/var/log/splunk to find splunkd.log

Also, verify the permissions are correct on your index.conf file

0 Karma

Path Finder

Thank you for you response 🙂

0 Karma

Motivator

If you are on Linux, look for this file on your indexer (I assume that you have only one):

/opt/splunk/etc/system/local/indexes.conf

If you are on Windows, look for this:

C:\ or whatever drive and path you used>\Splunk\etc\system\local\indexes.conf

Search for a stanza in that file which begins with this line:

[main]

Inside that stanza you fill probably find a line that say disabled=true. Change that to disabled=false (or add it if it isn't there ) and start your indexer.

View solution in original post

Path Finder

Hi 🙂

thank you so much for your reply !

I configured the file "indexes.conf" as you said but no results. why I had this error ?

Please,how can I resolve it ?

0 Karma

Splunk Employee
Splunk Employee

Indexes I created (through deployment server app) where disabled after creation (if the app was not configured to restart). After adding the line "disabled = false" - the new indexes are enabled without restart. Thanks!

0 Karma

Motivator

I read some of your replies above and they are a little confusing.

First, you said that you don't have an index named main, but it is created when you install Splunk. The main index is the default index. If it is missing then someone has either changed or deleted $SPLUNK_HOME/etc/system/default/indexes.conf.

Second....that error message you posted looks like you have told two different indexes to use the same thaweddb directory.

Run these two commands and post all of their output:
splunk btool indexes list --debug | grep "\["
splunk start

0 Karma

Path Finder

Hi ,

Thank you so much for your response!

yeah,like you said, I founded there is two different indexes that they use the same thaweddb directory !

I resolved the problem ! Splunk works well now ! ^^
Thank you so much !

Kind regards

0 Karma

Super Champion

have you tried putting indexes.conf into a standalone Splunk instance? you will get errors much quicker

0 Karma

Path Finder

Thank you for your response 🙂
I didn't understand your recommendation ? Please How can I fix this issue ?

0 Karma

Motivator

Hi there, please check if the main index is disabled.

0 Karma

Path Finder

Hi ! Thank you for your reply ! but I don't have main index !
The error message is about :
index=windows Path=/opt/splunk/var/lib/splunk/windows/thaweddb given as value of param=thawedPath collides with value of param2=thawedPath of index2=index_windows).
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue.

what is the problem ?? Please ??

0 Karma