Hello folks, Need your help.
Here is the splunkd.log file with grep kvstore. Please review and advise what went wrong and what needs to be done to fix this issue.
Jumping in to throw some speculations in the mix.. I don't know if this will fix the problems or its related.
Is this a new instance or an older Splunk Installations?
In the past, especially after upgrading, I had problems with the KVStore which could be fixed by forcing Splunk to generate a new server.pem
You can force Splunk to create a new certificate by renaming the old one in /SPLUNK_HOME/etc/auth/server.pem to /SPLUNK_HOME/etc/auth/server.pem_old
then restart Splunk and it generates a new server.pem at startup
If everything works you can delete the server.pem_old
Indexers do not use the KVStore so it should be disabled. Add these lines (if not already present) to the server.conf file on each indexer and restart them.
[kvstore]
disabled = true
Then you can ignore those log messages.
Hi Rich,
Based on your answer, am I correct to assume that the KV Store role can be removed from the Indexer`s roles ?
Many thanks.
If you're referring to the roles listed in the Monitoring Console then, yes. Doing so does not change anything on the indexer itself, however.
in default server.conf it is enabled, but you are saying by default it should be disabled, then why default conf file it is enabled ?
I did not say it should be disabled by default. I merely said it should be disabled if it is not already,
Thanks for your response. So, shall I disable from the default dir or local dir ? please advise.
Never edit a file in a default dir.