Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem indexes.conf splunkd not restarting !

Nesrinepfe
Path Finder
‎04-05-2017 11:34 AM

Hello ,

I have a distributed architecture of Splunk SH with Splunk ES and an indexer . I get suddenly this error message on the indexer and it's stopped I had that message error when I restart splunkd service : "Problem parsing indexes.conf: default index disabled - quit! Validating databases (splunkd validatedb) failed with code '1'. Please file a case online at http://www.splunk.com/page/submit_issue" .

Please I need Help ! 😞

Thank you very much for your helps !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lycollicott
Motivator
‎04-05-2017 12:15 PM

If you are on Linux, look for this file on your indexer (I assume that you have only one):

/opt/splunk/etc/system/local/indexes.conf

If you are on Windows, look for this:

C:\ or whatever drive and path you used>\Splunk\etc\system\local\indexes.conf

Search for a stanza in that file which begins with this line:

[main]

Inside that stanza you fill probably find a line that say disabled=true. Change that to disabled=false (or add it if it isn't there ) and start your indexer.

View solution in original post

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎04-05-2017 12:38 PM

What error does splunkd.log give?

Take a look under $SPLUNK_HOME/var/log/splunk to find splunkd.log

Also, verify the permissions are correct on your index.conf file

0 Karma
Reply
Solved! Jump to solution

Nesrinepfe
Path Finder
‎04-15-2017 03:49 AM

Thank you for you response 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

lycollicott
Motivator
‎04-05-2017 12:15 PM

If you are on Linux, look for this file on your indexer (I assume that you have only one):

/opt/splunk/etc/system/local/indexes.conf

If you are on Windows, look for this:

C:\ or whatever drive and path you used>\Splunk\etc\system\local\indexes.conf

Search for a stanza in that file which begins with this line:

[main]

Inside that stanza you fill probably find a line that say disabled=true. Change that to disabled=false (or add it if it isn't there ) and start your indexer.

Reply
Solved! Jump to solution

Nesrinepfe
Path Finder
‎04-06-2017 01:50 AM

Hi 🙂

thank you so much for your reply !

I configured the file "indexes.conf" as you said but no results. why I had this error ?

Please,how can I resolve it ?

0 Karma
Reply
Solved! Jump to solution

tbaublys_splunk
Splunk Employee
Splunk Employee
‎07-04-2017 12:41 AM

Indexes I created (through deployment server app) where disabled after creation (if the app was not configured to restart). After adding the line "disabled = false" - the new indexes are enabled without restart. Thanks!

0 Karma
Reply
Solved! Jump to solution

lycollicott
Motivator
‎04-06-2017 10:15 AM

I read some of your replies above and they are a little confusing.

First, you said that you don't have an index named main, but it is created when you install Splunk. The main index is the default index. If it is missing then someone has either changed or deleted $SPLUNK_HOME/etc/system/default/indexes.conf.

Second....that error message you posted looks like you have told two different indexes to use the same thaweddb directory.

Run these two commands and post all of their output:
splunk btool indexes list --debug | grep "\["
splunk start

0 Karma
Reply
Solved! Jump to solution

Nesrinepfe
Path Finder
‎04-15-2017 03:49 AM

Hi ,

Thank you so much for your response!

yeah,like you said, I founded there is two different indexes that they use the same thaweddb directory !

I resolved the problem ! Splunk works well now ! ^^
Thank you so much !

Kind regards

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎04-05-2017 11:40 AM

have you tried putting indexes.conf into a standalone Splunk instance? you will get errors much quicker

0 Karma
Reply
Solved! Jump to solution

Nesrinepfe
Path Finder
‎04-05-2017 11:59 AM

Thank you for your response 🙂
I didn't understand your recommendation ? Please How can I fix this issue ?

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎04-05-2017 12:06 PM

Hi there, please check if the main index is disabled.

0 Karma
Reply
Solved! Jump to solution

Nesrinepfe
Path Finder
‎04-06-2017 01:42 AM

Hi ! Thank you for your reply ! but I don't have main index !
The error message is about :
index=windows Path=/opt/splunk/var/lib/splunk/windows/thaweddb given as value of param=thawedPath collides with value of param2=thawedPath of index2=index_windows).
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue.

what is the problem ?? Please ??

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...