Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Indexing problems

AntoineDRN
Path Finder
‎05-05-2022 07:04 AM

Hello Splunkers!

I'm pretty new with Splunk and I retrieve an old splunk project that i didn't set up at all. I'm trying to train myself on it, but... I have some problems i couldn't solve alone.

I have one Search Head, one Indexer and between 3 and 5 forwarders depending on my need. 

Here is the VM of my indexer :

AntoineDRN_0-1651758804401.png

Almost all logs that I collected went in /dev/vda1, which is not suppose to be the case. I've override the default storage location , but i guess it doesn't matter ...

/opt/splunk/etc/system/local/indexes.conf   :

[main]
homePath = /mnt/data/$_index_name/db

I assume it's the reason why i stillm got those messages : 

AntoineDRN_1-1651759224743.png

AntoineDRN_2-1651759251090.pngAntoineDRN_3-1651759267747.png

Please let me know if I did something wrong or if i missed something,

Thanks in advance for your help!

Regards ,

Antoine

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-05-2022 07:25 AM

Hi @AntoineDRN,

you have to set the $SPLUNK_DB variable on Indexers in $SPLUNK_HOME/etc/splunk-launch.conf:

you should find it commented, you have to uncomment it and use the correct folder where indexes are located,

by default it's $SPLUNK_HOME/var/lib/splunk, in your case it should be /dev/vda1.

Then, you have to insert in each path that you find in each indexes,conf

[index_name]
coldPath = $SPLUNK_DB\index_name\colddb
homePath = $SPLUNK_DB\index_name\db
thawedPath = $SPLUNK_DB\index_name\thaweddb

Remember to restart Splunk after conf files upgrade.

In this way the indexes.conf files address the correct folders.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-05-2022 07:25 AM

Hi @AntoineDRN,

you have to set the $SPLUNK_DB variable on Indexers in $SPLUNK_HOME/etc/splunk-launch.conf:

you should find it commented, you have to uncomment it and use the correct folder where indexes are located,

by default it's $SPLUNK_HOME/var/lib/splunk, in your case it should be /dev/vda1.

Then, you have to insert in each path that you find in each indexes,conf

[index_name]
coldPath = $SPLUNK_DB\index_name\colddb
homePath = $SPLUNK_DB\index_name\db
thawedPath = $SPLUNK_DB\index_name\thaweddb

Remember to restart Splunk after conf files upgrade.

In this way the indexes.conf files address the correct folders.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...