I have a distributed architecture of Splunk SH with Splunk ES and an indexer . I get suddenly this error message on the indexer and it's stopped I had that message error when I restart splunkd service : "Problem parsing indexes.conf: default index disabled - quit! Validating databases (splunkd validatedb) failed with code '1'. Please file a case online at http://www.splunk.com/page/submit_issue" .
Please I need Help ! 😞
Thank you very much for your helps !
Hi ! Thank you for your reply ! but I don't have main index !
The error message is about :
index=windows Path=/opt/splunk/var/lib/splunk/windows/thaweddb given as value of param=thawedPath collides with value of param2=thawedPath of index2=indexwindows).
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submitissue.
what is the problem ?? Please ??
If you are on Linux, look for this file on your indexer (I assume that you have only one):
If you are on Windows, look for this:
C:\ or whatever drive and path you used>\Splunk\etc\system\local\indexes.conf
Search for a stanza in that file which begins with this line:
Inside that stanza you fill probably find a line that say
disabled=true. Change that to
disabled=false (or add it if it isn't there ) and start your indexer.
thank you so much for your reply !
I configured the file "indexes.conf" as you said but no results. why I had this error ?
Please,how can I resolve it ?
I read some of your replies above and they are a little confusing.
First, you said that you don't have an index named main, but it is created when you install Splunk. The main index is the default index. If it is missing then someone has either changed or deleted $SPLUNK_HOME/etc/system/default/indexes.conf.
Second....that error message you posted looks like you have told two different indexes to use the same thaweddb directory.
Run these two commands and post all of their output:
splunk btool indexes list --debug | grep "\["
Thank you so much for your response!
yeah,like you said, I founded there is two different indexes that they use the same thaweddb directory !
I resolved the problem ! Splunk works well now ! ^^
Thank you so much !
Indexes I created (through deployment server app) where disabled after creation (if the app was not configured to restart). After adding the line "disabled = false" - the new indexes are enabled without restart. Thanks!