I am in the process of doing some maintenance on my indexer cluster (1 cluster master, 2 peer indexers).
I put my cluster master in maintenance-mode then went onto the first indexer and placed it in offline mode. Splunk responded on the indexer by indicating "reassigning primaries ... this may take a few minutes". This process however appears to be taking quite a while (currently 3 hours).
If i look at the splunkd log running on this indexer, i see the following:
Note: have only put in what appear to be significant lines at the end of the splunkd.log file.
to my mind this appears as though the Indexer has successfully transitioned to offline, however the cmd prompt still appears to be processing (still printing dots to the screen). would be good to get a second opinion as to whether I terminate the command prompt with the "splunk offline" command running.
Thanks for that reply.
At the end of the day, i figured that the log indicated that it had finished. So i terminated the splunkd process and shutdown/rebooted the server (which I had to do anyway as part of the maintenance activity i was doing).
It appears to have come back up (just looking at it now), joined the cluster. Search and replication factor have gone back to green. It all appears to be working again. but quite weird.
This is quite interesting if it still print those dots event logs said that it has shutdown already.
The first message "Access denies" could means that there are some files which have wrong ownership. You should do chow -R <splunk>:<splunk> for $SPLUNK_HOME and all data dirs which you portably have somewhere else.
I suppose that you are running it on linux. So do "ps -fe" and check are there still any splunk based processes and who owns those.
r. Ismo