Getting Data In
Highlighted

Splunkd Warning: "C:\program files\...\local.meta already exists but with different casing: C:\Program Files\...\local.meta"

Motivator

Hello fellow Splunkers,

We've been tracking down and resolving our Splunkd errors and warnings. This one has us perplexed:

WARN ExecProcessor - message from ""C:\program files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" BundlesUtil - C:\program files\SplunkUniversalForwarder\etc\system\metadata\local.meta already exists but with different casing: C:\Program Files\SplunkUniversalForwarder\etc\system\metadata\local.meta

The difference is "program files" vs. "Program Files". I know it's just a warning and has no impact, but I'd still like to resolve it as it happens every minute on all of our forwarders filling up the splunkd logs. I also do not want to change the logging as ExecProcessor contains many useful warnings. The closest answer I've found online is here*, although that one has to do with the case of the app name instead of the $SplunkHome full path.

The only thing I can think of that may have caused this is that we upgrade our forwarders automatically. We are a 100% Windows environment. We achieve this with a scripted input that sends the value of %SPLUNK_HOME% to PowerShell via a command/batch file that uses msiexec to upgrade the forwarders. The value of %SPLUNK_HOME% is sent by Splunk to all scripted inputs (it is not an environment variable). I'm guessing that SPLUNK_HOME is lower()ed by Splunk which is causing some mismatch that Splunk later checks for some reason. However, I have no idea how to resolve the issue.

* https://answers.splunk.com/answers/137700/when-trying-to-schedule-a-pdf-email-delivery-i-receive-the...
Cheers,
Jacob
0 Karma
Highlighted

Re: Splunkd Warning: "C:\program files\...\local.meta already exists but with different casing: C:\Program Files\...\local.meta"

Motivator

I was able to resolve the warnings by uncommenting the line below in $SPLUNK_HOME\etc\splunk-launch.cfg, capitalizing the P and F in Program Files, and restarting the SplunkForwarder service.

# SPLUNK_HOME=C:\program files\SplunkUniversalForwarder

Alternatively, you can run the following command as the account that Splunk is running as on the Windows VM with the forwarder installed in an elevated cmd prompt (Run as Administrator).

SETX $SPLUNK_HOME "C:\Program Files\SplunkUniversalForwarder"

Whether or not this should be done is another question (this is not a production environment).

http://dev.splunk.com/view/quickstart/SP-CAAAFDH

Cheers,
Jacob

View solution in original post

0 Karma