Solved: Splunkd Warning: "C:\program files\...\local.meta ...

jacobpevans · ‎07-29-2019

Hello fellow Splunkers,

We've been tracking down and resolving our Splunkd errors and warnings. This one has us perplexed:

WARN ExecProcessor - message from ""C:\program files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" BundlesUtil - C:\program files\SplunkUniversalForwarder\etc\system\metadata\local.meta already exists but with different casing: C:\Program Files\SplunkUniversalForwarder\etc\system\metadata\local.meta

The difference is "program files" vs. "Program Files". I know it's just a warning and has no impact, but I'd still like to resolve it as it happens every minute on all of our forwarders filling up the splunkd logs. I also do not want to change the logging as ExecProcessor contains many useful warnings. The closest answer I've found online is here*, although that one has to do with the case of the app name instead of the $SplunkHome full path.

The only thing I can think of that may have caused this is that we upgrade our forwarders automatically. We are a 100% Windows environment. We achieve this with a scripted input that sends the value of %SPLUNK_HOME% to PowerShell via a command/batch file that uses msiexec to upgrade the forwarders. The value of %SPLUNK_HOME% is sent by Splunk to all scripted inputs (it is not an environment variable). I'm guessing that SPLUNK_HOME is lower()ed by Splunk which is causing some mismatch that Splunk later checks for some reason. However, I have no idea how to resolve the issue.

* https://answers.splunk.com/answers/137700/when-trying-to-schedule-a-pdf-email-delivery-i-receive-the...

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

jacobpevans · ‎07-29-2019

I was able to resolve the warnings by uncommenting the line below in $SPLUNK_HOME\etc\splunk-launch.cfg, capitalizing the P and F in Program Files, and restarting the SplunkForwarder service.

# SPLUNK_HOME=C:\program files\SplunkUniversalForwarder

Alternatively, you can run the following command as the account that Splunk is running as on the Windows VM with the forwarder installed in an elevated cmd prompt (Run as Administrator).

SETX $SPLUNK_HOME "C:\Program Files\SplunkUniversalForwarder"

Whether or not this should be done is another question (this is not a production environment).

http://dev.splunk.com/view/quickstart/SP-CAAAFDH

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

View solution in original post

jacobpevans · ‎07-29-2019

I was able to resolve the warnings by uncommenting the line below in $SPLUNK_HOME\etc\splunk-launch.cfg, capitalizing the P and F in Program Files, and restarting the SplunkForwarder service.

# SPLUNK_HOME=C:\program files\SplunkUniversalForwarder

Alternatively, you can run the following command as the account that Splunk is running as on the Windows VM with the forwarder installed in an elevated cmd prompt (Run as Administrator).

SETX $SPLUNK_HOME "C:\Program Files\SplunkUniversalForwarder"

Whether or not this should be done is another question (this is not a production environment).

http://dev.splunk.com/view/quickstart/SP-CAAAFDH

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Splunkd Warning: "C:\program files\...\local.meta already exists but with different casing: C:\Program Files\...\local.meta"

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!