Getting Data In

Unusable Filesystem

jessieb_83
Path Finder

I'm setting up a lab instance of  Splunk Ent in prep to replace our legacy instance in a live environment and getting this error message:

"homePath='/mnt/splunk_hot/abc/db' of index=abc on unusable filesystem"

I'm running RHEL 8 VM's, running Splunk 9.1, 2 indexers clustered  together and a cluster manager. I've attached external drives for hot and cold to each indexer.

The external drives have been formatted in ext4 and set in fdisk to mount at boot every time as /mnt/splunk_hot and /mnt/splunk_cold and pointed indexes.conf by volume to them. They come up at boot, I can navigate to them and write to them. They're currently owned by root. I couldn't find who should have permission over them so I left them as is to start.

I tried to enable OPTIMISTIC_ABOUT_FILE_LOCKING=1  but that didn't do anything. That being said, i suspect I've missed a step in the actions taken mounting the external drives. 

I wasn't able to find specifics about the way I'm doing this, so I pose the question: 

Am I doing something wrong, or missing a step on mounting these external drives? Is that now a bad practice? 

I'm stumped.

my indexes.conf:

[volume:hot]
path=/mnt/splunk_hot

[volume:cold]
path=/mnt/splunk_cold

[abc]
repFactor = auto
homePath = volume:hot/abc/db
coldPath = volume:cold/abc/db
thawedPath = $SPLUNK_DB/abc/thaweddb
##We're not utilizing frozen storage at all so I left it default

Any advice here would be greatly appreciated!

Labels (2)
Tags (1)
0 Karma
1 Solution

jessieb_83
Path Finder

Finally figured out it was a permission issue. I didn't give splunk ownership over the index locations. 

View solution in original post

0 Karma

jessieb_83
Path Finder

Finally figured out it was a permission issue. I didn't give splunk ownership over the index locations. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jessieb_83 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

PickleRick
SplunkTrust
SplunkTrust

My first hint whenever "something strange" happens seemingly at OS level would be of course to check SELinux.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jessieb_83,

let me understand: you want to use as $SPLUNK_DB a removable hard drive?

I'm not sure that's possible.

Open a case to Splunk Support, they are the only that can answer to you.

ciao.

Giuseppe

0 Karma

jessieb_83
Path Finder

I left the Frozen drive to point to $SPLUNK_DB on the indexer's drive, but I'm not trying to employ frozen buckets at all.

I'm trying to use the volumes on external drives for hot and cold, that's how our current instance is set up. The difference being the current is on Windows, and this new one is going to be on RHEL8.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...