Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot an indexer not rejoining cluster after OS rebuild and data restore of /opt/splunk/ and /var/opt/splunk?

M2016G0216
Explorer
‎08-01-2016 07:28 AM

We recently had an issue with one of our indexers. We had to do a restore of /opt/splunk and /var/opt/splunk after rebuilding the OS. When I started the splunkd service, it asked me to accept the license which I thought was strange considering this was a restore of a system that's been in production since 2015. I accepted the license and it proceeded with "upgrading" the config files. After that, the system wasn't recognized by the master node and nor could I get the indexer to rejoin the cluster. I noticed that splunkd failed to run. I re-entered the passkey in clear text for pass4SymmKey in /opt/splunk/etc/system/local/server.conf and attempted to start splunkd again. This time splunkd was able to run, but the indexer couldn't communicate on port 8000 even though in the checking prerequisites it listed port 8000 as open. I got the message "Waiting for web server at https://127.0.0.1:8000 to be available." Also, I got the following error as splunkd was attempting to start when checking conf files for problems -- Can't read key file /opt/splunk/etc/auth/server.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
Couldn't initialize SSL Context for HTTPClient in ServerConfig. Any recommendations on what I should do next to get the indexer to rejoin the cluster?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

M2016G0216
Explorer
‎08-15-2016 11:55 AM

The issue was identified and resolved -- server.pem was bad due erroneous replacment, sslkeys were reset and correct server.pem used. There remained some issues with duplicate bucket ids which had to be fixed before the indexer was able to rejoin

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

M2016G0216
Explorer
‎08-15-2016 11:55 AM

The issue was identified and resolved -- server.pem was bad due erroneous replacment, sslkeys were reset and correct server.pem used. There remained some issues with duplicate bucket ids which had to be fixed before the indexer was able to rejoin

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...