Splunk Enterprise Security

Any idea how I can troubleshoot this indexes.conf config?



I have this indexes.conf and added a frozen archive. The path is fully readable and writable by the Splunk user account. But when I add this config stanza the indexer fails to start. Just starting with this so I am curious what area some areas I should check.

alt text

0 Karma

  • Are you starting Splunk from the shell?
  • Are there any errors presented there?
  • If so, what are you seeing?

Take a look at:

There are several other log files in that directory that may be worth looking at including crash dumps.

0 Karma

Ultra Champion

What does splunkd.log say?

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...