Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

After upgrading to Splunk 6.3, why am I getting a "Found stanza=_blocksignature in indexes.conf" error and am unable to find this stanza running btool?

tjohnson2
Explorer
‎11-07-2015 12:49 PM

I'm getting the following error after I upgraded to Splunk 6.3:

Search peer Splunk has the following message: Found stanza=_blocksignature in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.

After running the btool command, I'm still unable to find this stanza in indexes.conf. Has anyone seen this issue before?

Labels (1)
Labels
Reply

doksu
Contributor
‎02-09-2016 07:04 PM

This command will tell you which app the indexes.conf _blocksignature stanza resides in:

/opt/splunk/bin/splunk btool --debug-print=app indexes list _blocksignature | head -1 | awk '{print $1}'

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎11-09-2015 09:06 PM

Is this on a standalone instance or in a distributed environment?

In distributed environment, you need to remove the the _blocksignature index configuration from the Master-Apps on the Master Node, and apply the bundle.

In standalone environments, this will most likely be in $splunk_home/etc/system/local if you have upgraded. You can check the default also for this, but it shouldn't be in there after the upgrade.

Reply

Krishnagrandhi
Explorer
‎01-19-2017 06:34 AM

If it's distributed environment and clustering is not implemented, remove _blocksignature index configuration from the indexes.conf file (on Deployment server if exists) then reload config.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...