Getting Data In

bad index path

Path Finder

So I added a new index and without thinking I hit submit without changed db info. I restarted and now I can get splunk up as you can see below. Anyone know how to remove an index reference with splunk not running?

root@atpscld1>/opt/splunk/bin/splunk start

Splunk> 4TW

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory...
Problem parsing indexes.conf: The homePath "/opt/splunk/var/lib/splunk/defaultdb/db" of index "nms" is repeated multiple times (already specified as homePath of index "main").
Validating databases (splunkd validatedb) failed with code '1'. Please file a case online at http://www.splunk.com/page/submit_issue
root@atpscld1>

root@atpscld1>/opt/splunk/bin/splunk disable index nms
Splunk is not running, and it must be for this operation. To start splunk, run "splunk start".
root@atpscld1>

0 Karma

Communicator

jlaigo2 -
Assuming you have version 4.x or higher and that you are running a single Splunk instance.

1) Go to /opt/splunk/etc/system/local

Windows = $SPLUNK_HOME\etc\system\local

2) EDIT your indexes.conf
You can just delete the lines with the new index name in the brackets
- OR just edit it so it has the correct path - You can look at indexes.conf.example too

   [indexname]
    thawedPath = $SPLUNK_DB/indexname/thaweddb
    homePath = $SPLUNK_DB/indexname/db
    coldPath = $SPLUNK_DB/indexname/colddb

3) Start Splunk

0 Karma

Champion

See; http://docs.splunk.com/Documentation/Splunk/latest/admin/indexesconf

You should find your new one in $SPLUNK_HOME/etc/system/local/indexes.conf.
Just open the conf and delete the lines relevant to the faulty index and restart splunk and all should be well again, you can then add it via the conf file (as per the link) or have another go through the UI 🙂

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!