Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

indexer not working after changing cluster configuration

_pravin
Communicator
‎11-04-2024 03:48 AM

Hi,

I am trying to change the indexer configuration from one cluster master to another but in the process of this change the indexer never starts.

The web service log looks like below 

 

 

 

bash$ tail -f var/log/splunk/web_service.log
2024-11-01 16:26:18,141 INFO    [6724f3196d7f1cd30e7350] _cplogging:216 - [01/Nov/2024:16:26:18] ENGINE Bus EXITED
2024-11-01 16:26:18,141 INFO    [6724f3196d7f1cd30e7350] root:168 - ENGINE: Bus EXITED
2024-11-01 16:38:48,635 INFO    [6724f608607f04aeca7810] __init__:174 - Using default logging config file: /data/apps/SPLUNK_INDEXER_1/splunk/etc/log.cfg
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.controllers level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.controllers.proxy level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.lib level=WARN
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.pdfgen level=INFO
2024-11-01 16:38:48,636 INFO    [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.archiver_restoration level=INFO

 

 

 

Now I have even removed the clustering configuration from the server.conf but still the same issue with the Splunk instance.

Any one else face the same issue?

 

Regards,
Pravin

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-04-2024 03:53 AM

Web service should be disabled on indexers so it's not unusual.

Check splunkd.log.

0 Karma
Reply

_pravin
Communicator
‎11-04-2024 06:50 AM

Hi @PickleRick ,

 

Thanks for the response. I agree that usually web service would be disabled but we keep the UI so that we can see the changes.

I managed to clean the indexer completely of all the configurations. Then recreate from backup and it worked.

 

Thanks,

Pravin

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...