Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting "homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem." while starting Splunk on an indexer?

ayushchoudhary
Path Finder
‎09-10-2015 11:46 PM

I got this error while starting Splunk on the indexer. 

homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem. Validating databases (splunkd validatedb) failed with code '1'.

Please help urgently.

Reply
1 Solution
Solved! Jump to solution
Solution

naisanza
Path Finder
‎04-25-2016 01:13 PM

You'll want to append the following configuration option to $SPLUNK_HOME/etc/splunk-launch.conf:

OPTIMISTIC_ABOUT_FILE_LOCKING = 1

Note from malmoore (Splunk): As of 28 March 2018, this workaround has been officially documented in the Troubleshooting Manual. See Splunk Enterprise does not start due to unusable filesystem in the manual for the procedure.

The caveats for using this workaround still apply. Proceed with caution, and at your own risk. Irrevocable data loss can still occur. We have already had one report in this thread of problems that have occurred after enabling this setting.

Key points (as of 24 April 2018)

  • There is still no support for macOS 10.13 High Sierra on Splunk Enterprise version 7.0.
  • There is work scheduled to fix the problem for macOS 10.13 on Splunk Enterprise 7.0 and reinstate support, but there is no promise of delivery of this functionality.
  • There is support for macOS 10.13 High Sierra on APFS on Splunk Enterprise version 7.1.

View solution in original post

Reply
Solved! Jump to solution

jmantor
Path Finder
‎03-26-2018 11:50 AM

I just encountered this same error running Splunk 6.5.6 on RHEL with an EXT4 file system.

0 Karma
Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎03-29-2018 12:54 PM

Is this a fresh install?
What version of RHEL?
Did you upgrade and switch from another file system to ext4?

0 Karma
Reply
Solved! Jump to solution

jmantor
Path Finder
‎04-19-2018 08:53 AM

It was an existing install. RHEL 6.x. It turns out the lun that the disk was on was accidentally filled up via a VMware snapshot.

0 Karma
Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎04-20-2018 09:34 AM

Ah, thanks or the info. Another reason why setting this variable should be done only as a last resort.

0 Karma
Reply
Solved! Jump to solution

bnariyani_splun
Splunk Employee
Splunk Employee
‎04-18-2018 03:57 AM

Worked Well...

0 Karma
Reply
Solved! Jump to solution

rcrohns_splunk
Splunk Employee
Splunk Employee
‎02-15-2018 11:59 PM

This worked for me on macOS High Sierra 10.13.3 with Splunk version 7.0.2.,

Reply
Solved! Jump to solution

uthornander_spl
Splunk Employee
Splunk Employee
‎01-10-2018 12:42 AM

Is this still applicable to 7.1?

UT
0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎01-11-2018 06:17 AM

Did you mean Splunk Enterprise 7.0.1 or an OS version?

0 Karma
Reply
Solved! Jump to solution

uthornander_spl
Splunk Employee
Splunk Employee
‎01-10-2018 12:42 AM

Is this still applicable to 7.1?

UT
0 Karma
Reply
Solved! Jump to solution

tjr1775
Path Finder
‎11-27-2017 08:50 AM

So I had this problem as well, and the optimistic file thingee =1 did not work. I have MacOS 10.13.1 (High Sierra) and Splunk 7.0. It was thought this wasn't a problem with 7.0, but it is. However, here is the fix if the optimistic thing is well, not so optimistic:

rm /opt/splunk/lib/libz.1.dylib
cp /usr/lib/libz.1.dylib /opt/splunk/lib/libz.1.dylib

Found at a similar thread: https://answers.splunk.com/answers/585512/importerror-symbol-not-found-inflatevalidate-when.html

Reply
Solved! Jump to solution

pranavna
Explorer
‎04-27-2018 11:41 AM

that fixed my issue. thanks...

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-16-2016 09:20 PM

Careful. This is an indication that you may have Splunk deployed on top of an unsupported filesystem that does not implement required file locking mechanism. Setting that attribute in splunk-launch.conf is overriding our internal file locking test during startup. YMMV...

Reply
Solved! Jump to solution

vbumgarner
Contributor
‎01-31-2017 09:52 AM

After using this flag for awhile, I'm now getting:

WARN JournalSlice - Error reading from fresh journal slice file ".../db/hot_v1_4937/rawdata/1971039751": Input/output error

Is this related, or do I just have a bad disk?

0 Karma
Reply
Solved! Jump to solution

Dimitri_McKay
Splunk Employee
Splunk Employee
‎08-17-2016 08:36 AM

Actually, this worked perfect for me too. I'm running Sierra beta and two of my instances complained about this. So it may be OS X Beta related.

0 Karma
Reply
Solved! Jump to solution

vbumgarner
Contributor
‎09-21-2016 01:23 PM

This is still required on the public release of Sierra.

0 Karma
Reply
Solved! Jump to solution
Solution

naisanza
Path Finder
‎04-25-2016 01:13 PM

You'll want to append the following configuration option to $SPLUNK_HOME/etc/splunk-launch.conf:

OPTIMISTIC_ABOUT_FILE_LOCKING = 1

Note from malmoore (Splunk): As of 28 March 2018, this workaround has been officially documented in the Troubleshooting Manual. See Splunk Enterprise does not start due to unusable filesystem in the manual for the procedure.

The caveats for using this workaround still apply. Proceed with caution, and at your own risk. Irrevocable data loss can still occur. We have already had one report in this thread of problems that have occurred after enabling this setting.

Key points (as of 24 April 2018)

  • There is still no support for macOS 10.13 High Sierra on Splunk Enterprise version 7.0.
  • There is work scheduled to fix the problem for macOS 10.13 on Splunk Enterprise 7.0 and reinstate support, but there is no promise of delivery of this functionality.
  • There is support for macOS 10.13 High Sierra on APFS on Splunk Enterprise version 7.1.
Reply
Solved! Jump to solution

im_bharath
Path Finder
‎10-20-2022 07:17 AM

Hey @naisanza

I installed the splunk on the Ubuntu (WSL) and encountered the same issue and i have tried the option you have provided and it worked.. Thank you very much. 

0 Karma
Reply
Solved! Jump to solution

ipapa_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 01:02 AM

I had the same issue on MacOS High Sierra after the upgrade from Sierra. You just need to had this line of code and it works. Tested with Splunk Enterprise 7.0

0 Karma
Reply
Solved! Jump to solution

nitinkul
New Member
‎02-27-2018 07:45 AM

This worked for me..thank you.

0 Karma
Reply
Solved! Jump to solution

Jason_S
Path Finder
‎04-27-2018 12:18 PM

Splunk 7.1.0 now supports High Sierra (10.13):

http://docs.splunk.com/Documentation/Splunk/7.1.0/Installation/Systemrequirements#Unix_operating_sys...

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...