Splunk Enterprise

indexer not working after changing cluster configuration

_pravin
Communicator

Hi,

I am trying to change the indexer configuration from one cluster master to another but in the process of this change the indexer never starts.

The web service log looks like below 

 

 

 

bash$ tail -f var/log/splunk/web_service.log
2024-11-01 16:26:18,141 INFO    [6724f3196d7f1cd30e7350] _cplogging:216 - [01/Nov/2024:16:26:18] ENGINE Bus EXITED
2024-11-01 16:26:18,141 INFO    [6724f3196d7f1cd30e7350] root:168 - ENGINE: Bus EXITED
2024-11-01 16:38:48,635 INFO    [6724f608607f04aeca7810] __init__:174 - Using default logging config file: /data/apps/SPLUNK_INDEXER_1/splunk/etc/log.cfg
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.controllers level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.controllers.proxy level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.lib level=WARN
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.pdfgen level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.archiver_restoration level=INFO

 

 

 

Now I have even removed the clustering configuration from the server.conf but still the same issue with the Splunk instance.

Any one else face the same issue?

 

Regards,
Pravin

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Web service should be disabled on indexers so it's not unusual.

Check splunkd.log.

0 Karma

_pravin
Communicator

Hi @PickleRick ,

 

Thanks for the response. I agree that usually web service would be disabled but we keep the UI so that we can see the changes.

I managed to clean the indexer completely of all the configurations. Then recreate from backup and it worked.

 

Thanks,

Pravin

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...