Getting Data In

Why am I getting "homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem." while starting Splunk on an indexer?

ayushchoudhary
Path Finder

I got this error while starting Splunk on the indexer.

homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem. Validating databases (splunkd validatedb) failed with code '1'. 

Please help urgently.

1 Solution

naisanza
Path Finder

You'll want to append the following configuration option to $SPLUNK_HOME/etc/splunk-launch.conf:

OPTIMISTIC_ABOUT_FILE_LOCKING = 1

Note from malmoore (Splunk): As of 28 March 2018, this workaround has been officially documented in the Troubleshooting Manual. See Splunk Enterprise does not start due to unusable filesystem in the manual for the procedure.

The caveats for using this workaround still apply. Proceed with caution, and at your own risk. Irrevocable data loss can still occur. We have already had one report in this thread of problems that have occurred after enabling this setting.

Key points (as of 24 April 2018)

  • There is still no support for macOS 10.13 High Sierra on Splunk Enterprise version 7.0.
  • There is work scheduled to fix the problem for macOS 10.13 on Splunk Enterprise 7.0 and reinstate support, but there is no promise of delivery of this functionality.
  • There is support for macOS 10.13 High Sierra on APFS on Splunk Enterprise version 7.1.

View solution in original post

Sp1unkin_it
Explorer

Thank you for this.

I ran into the same error this morning when I was installing Splunk 7.0 on Mac OS High Sierra.

This resolved the issue.

Splunkin' it!

0 Karma

starcher
SplunkTrust
SplunkTrust

This works again to get started on OSX High Sierra

Jason_S
Path Finder

The 'OPTIMISTIC_ABOUT_FILE_LOCKING = 1' appears to only be needed for OSX High Sierra running off a APFS volume. My High Sierra system running off a Mac OS Extended volume did not need this setting.

0 Karma

starcher
SplunkTrust
SplunkTrust

Yeah it is the file system type being the problem.

0 Karma

hardikJsheth
Motivator

I had the same problem after upgrading to Splunk 7.0 on my mac. After I added OPTIMISTIC_ABOUT_FILE_LOCKING = 1, I was able to start the splunk.

0 Karma

yannK
Splunk Employee
Splunk Employee

This is fixed in splunk 6.5.*, the problem was for MACOS Sierra filesystem check.
For older versions you could use the workaround above, or upgrade.

0 Karma

Jason_S
Path Finder

yannK: I had this issue using Splunk 7.0.0 on High Sierra using APFS and have filed a support case requesting APFS support.

aharkare
New Member

After adding OPTIMISTIC_ABOUT_FILE_LOCKING = 1 to splunk-launch.conf file it worked for Mac OS High Sierra Version 10.13.1 (17B48). Thank you so much for the suggestion!

0 Karma

Rocky31
Path Finder

Hi where did you added this line OPTIMISTIC_ABOUT_FILE_LOCKING = 1

This is my splunk-launch.conf

#   Version 7.0.1

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
#
# SPLUNK_HOME=/opt/build/splunk-home

# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var/lib/splunk subdirectory.  This can be overridden
# here:
#
# SPLUNK_DB=/opt/build/splunk-home/var/lib/splunk
# Splunkd daemon name
SPLUNK_SERVER_NAME=Splunkd

# Splunkweb daemon name
SPLUNK_WEB_NAME=splunkweb

# If SPLUNK_OS_USER is set, then Splunk service will only start
# if the 'splunk [re]start [splunkd]' command is invoked by a user who
# is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
# (This setting can be specified as username or as UID.)
#
# SPLUNK_OS_USER
0 Karma

sloshburch
Ultra Champion

Location shouldn't matter. So long as it's not commented out (with the hash #). So feel free to just add it to the end with the necessary comments about why you included it for your own benefit in the future.

0 Karma

Rocky31
Path Finder

i fixed it thank you

0 Karma

ff_rumali
Explorer

The comment from Dimitri mentioning Sierra triggered me to try this configuration option. It worked for me on my recently upgraded MacBook.

0 Karma

heynash
Engager

This was spot on for me. Great advice, thanks.

0 Karma

Rocky31
Path Finder

i have the same issue, i don't the line in splunk-launch.conf
is it i need to add the line in .conf file

0 Karma

Rocky31
Path Finder

i fixed it thank you

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!