Solved: splunk does not start and has indexing disabled

yannK · ‎12-03-2012

After starting splunk stops immediately with

in splunkd.log

12-03-2012 16:16:26.414 -0800 ERROR IndexProcessor - default index disabled - quit!

and on the command line

Validating databases (splunkd validatedb) failed with code '-1'. Please file a case online at http://www.splunk.com/page/submit_issue

jbsplunk · ‎12-04-2012

I suspect the issue is the one in the answer I posted here, so take a look at this link:

http://splunk-base.splunk.com/answers/23536/moving-indexes-to-a-new-splunk-server

To find the colliding buckets, see this post:

http://splunk-base.splunk.com/answers/34811/how-can-i-find-all-duplicate-bucket-ids-that-are-causing...

View solution in original post

yannK · ‎12-04-2012

in $SPLUNK_HOME/etc/apps/search/local/indexes.conf I see
[main] disabled =1

but it comes back if I remove it.

jbsplunk · ‎12-04-2012

I suspect the issue is the one in the answer I posted here, so take a look at this link:

http://splunk-base.splunk.com/answers/23536/moving-indexes-to-a-new-splunk-server

To find the colliding buckets, see this post:

http://splunk-base.splunk.com/answers/34811/how-can-i-find-all-duplicate-bucket-ids-that-are-causing...

yannK · ‎12-04-2012

Great, I had duplicates bucket ids in my main index : defaultdb\db
I remember now, my backup agent did restore indexes the other day, it seems that multiples indexes were merged into one.

jbsplunk · ‎12-04-2012

Prior to the IndexProcessor error, there should be another ERROR that indicates what is wrong with the default index. Can you check your splunkd.log and see if any error's pop up before the disabled message?

splunk does not start and has indexing disabled

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!