Hi, i restall the splunk
Then i copied the old /splunk/var/ to the new /opt/splunk/
But when i start splunk,i met this error
Problem parsing indexes.conf: default index disabled - quit!
Validating databases (splunkd validatedb) failed with code '1'. Please file a case online at http://www.splunk.com/page/submit_issue
And then i copied the all old indexes.conf to overwrite the new indexes.conf
But still this error
This is usually caused by the improper use of an inline comment in indexes.conf. For example:
homePath = /data/sandwich_security/db. # Gotta keep an eye on those sandwiches!
This can prevent splunkd from parsing your indexes.conf.
I just ran into this. My $SPLUNK_HOME/etc/system/local/indexes.conf had:
[main] disabled = 1
I changed that over to 0 and I was good. I suspect I mucked things up when I ran splunk as root then tried to reboot at which time it tried to start as user splunk. I had to fix several file permission issues. I found out everything (so far) was fixed with 'chmod -R splunk $SPLUNK_HOME'.
usually, this is because splunk detected a duplicate bucket id in your main index.
to fix :
I don't even have an splunkd.log in "splunk" folder.
Same. I don't even have splunkd.log in my 'splunk' folder.