Installation

Why does the upgrade to 6.5.1 touch SPLUNK_HOME/etc/system/local?

ddrillic
Ultra Champion

We went through an upgrade to 6.5.1 and the upgrade touched SPLUNK_HOME/etc/system/local on the indexers. Should it happen? We see indexes.conf with a new timestamp.

Labels (1)
Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi dddillic,

We had that happened when doing a Splunk upgrade from 6.4.3 to 6.5.0 on SBOX 1.4 - which was confirmed as a SBOX bug....

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

I looked at the manifest file for the 6.5.1 update (in $SPLUNK_HOME) and it appears that it updates the README file in etc/system/local

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi dddillic,

We had that happened when doing a Splunk upgrade from 6.4.3 to 6.5.0 on SBOX 1.4 - which was confirmed as a SBOX bug....

Hope this helps ...

cheers, MuS

0 Karma

ddrillic
Ultra Champion

Interesting - thank you. Can you please convert it to an answer so I can accept it?

0 Karma

MuS
SplunkTrust
SplunkTrust

update ping ...

0 Karma

ddrillic
Ultra Champion

very kind - thank you.

0 Karma

hartfoml
Motivator

@ddrillic
I see above that you are mentioning the indexes.conf file.
Are you using SBOX like @MuS and think this is a bug?

@sjohnson did not mention a change to indexes.conf in the inspection of the manifest below?

0 Karma

ddrillic
Ultra Champion

We don't use SBOX.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

From which version you upgraded to 6.5.1?

ddrillic
Ultra Champion

We upgraded from 6.4.1.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

There were changes in indexes.conf specification from 6.4.3 to 6.5.1 and Splunk would've validated/updated the indexes.conf file during upgrade process. Check the migration log ($Splunk_Home/var/log/splunk/migration_timestmap.log) and search for indexes.conf.

0 Karma

ddrillic
Ultra Champion

great. I see in the log the following -

Copying '/opt/splunk/etc/system/local/indexes.conf' to '/opt/splunk/etc/system/local/indexes.conf.old' but nothing about modifying the file....

-rw-r--r--. 1 splnkstg dce       314 Jan  4 19:23 indexes.conf.old
-rw-r--r--. 1 splnkstg splnkstg  313 Jan  4 19:23 indexes.conf

One byte less in the modified file.

$ diff indexes.conf.old indexes.conf
2d1
< 
4d2
< maxTotalDataSizeMB = 500000
5a4
> maxTotalDataSizeMB = 500000
8d6
< maxTotalDataSizeMB = 500000
9a8
> maxTotalDataSizeMB = 500000
12d10
< maxTotalDataSizeMB = 500000
13a12
> maxTotalDataSizeMB = 500000
16d14
< maxTotalDataSizeMB = 500000
17a16
> maxTotalDataSizeMB = 500000
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I believe there was nothing changed on data perspective, may be some leading/trailing spaces got truncated. So basically you didn't have any incompatible indexes.conf entries so nothing new got updated, seems like it just created a backup and validated the stanzas as per 6.5.1 specification.

0 Karma

ddrillic
Ultra Champion

Makes perfect sense!!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...