Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Indexing problems

AntoineDRN
Path Finder
‎05-05-2022 07:04 AM

Hello Splunkers!

I'm pretty new with Splunk and I retrieve an old splunk project that i didn't set up at all. I'm trying to train myself on it, but... I have some problems i couldn't solve alone.

I have one Search Head, one Indexer and between 3 and 5 forwarders depending on my need. 

Here is the VM of my indexer :

AntoineDRN_0-1651758804401.png

Almost all logs that I collected went in /dev/vda1, which is not suppose to be the case. I've override the default storage location , but i guess it doesn't matter ...

/opt/splunk/etc/system/local/indexes.conf   :

[main]
homePath = /mnt/data/$_index_name/db

I assume it's the reason why i stillm got those messages : 

AntoineDRN_1-1651759224743.png

AntoineDRN_2-1651759251090.pngAntoineDRN_3-1651759267747.png

Please let me know if I did something wrong or if i missed something,

Thanks in advance for your help!

Regards ,

Antoine

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-05-2022 07:25 AM

Hi @AntoineDRN,

you have to set the $SPLUNK_DB variable on Indexers in $SPLUNK_HOME/etc/splunk-launch.conf:

you should find it commented, you have to uncomment it and use the correct folder where indexes are located,

by default it's $SPLUNK_HOME/var/lib/splunk, in your case it should be /dev/vda1.

Then, you have to insert in each path that you find in each indexes,conf

[index_name]
coldPath = $SPLUNK_DB\index_name\colddb
homePath = $SPLUNK_DB\index_name\db
thawedPath = $SPLUNK_DB\index_name\thaweddb

Remember to restart Splunk after conf files upgrade.

In this way the indexes.conf files address the correct folders.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-05-2022 07:25 AM

Hi @AntoineDRN,

you have to set the $SPLUNK_DB variable on Indexers in $SPLUNK_HOME/etc/splunk-launch.conf:

you should find it commented, you have to uncomment it and use the correct folder where indexes are located,

by default it's $SPLUNK_HOME/var/lib/splunk, in your case it should be /dev/vda1.

Then, you have to insert in each path that you find in each indexes,conf

[index_name]
coldPath = $SPLUNK_DB\index_name\colddb
homePath = $SPLUNK_DB\index_name\db
thawedPath = $SPLUNK_DB\index_name\thaweddb

Remember to restart Splunk after conf files upgrade.

In this way the indexes.conf files address the correct folders.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...