Solved: Splunk diag error messages, No directory sepatator...

I-Man · ‎08-22-2013

While running splunk diag on an indexer, i received the following error messages. Any idea's as to what they mean or if there is a problem?

[root@splunk bin]# ./splunk diag
Ensuring clean temp dir...
Selected diag name of: diag-splunk.domain.org-2013-08-22
Starting splunk diag...
sh: lsb_release: command not found
No directory separator found in index path: $SPLUNK_DB\fw\db
No directory separator found in index path: $SPLUNK_DB\fw\colddb
No directory separator found in index path: $SPLUNK_DB\fw\thaweddb
No directory separator found in index path: $SPLUNK_DB\randomlogs\db
No directory separator found in index path: $SPLUNK_DB\randomlogs\colddb
No directory separator found in index path: $SPLUNK_DB\randomlogs\thaweddb

Thanks in advance!

kristian_kolb · ‎08-22-2013

Have you created your indexes.conf on a Windows machine (or with a Windows mindset)? It looks like you are using backslashes instead of forward slashes.

/K

View solution in original post

fbustamantes · ‎10-24-2013

Is there any way to correct this in a cluster enviroment? I just checked the master and happens that the initial platform was a Windows one, however when we created our cluster, we changed to Linux. I completely forgot to change the separator in the paths, and Splunk didn't alerted me of anything going wrong during the execution of the bundle to distribute the configurations to the indexers.

So, is there any way to correct this without losing reference to the data on those indexes? Currently this is a production enviroment, and even when I'm not having big trouble other than the diag message, I would like to have it corrected, just as a good practice and for health of the enviroment.

Thanks.

kristian_kolb · ‎08-22-2013

Have you created your indexes.conf on a Windows machine (or with a Windows mindset)? It looks like you are using backslashes instead of forward slashes.

/K

kristian_kolb · ‎08-22-2013

Are you getting any new events into these indexes? If not, you should probably correct this. Good luck.

jrodman · ‎09-26-2014

There was a time where this type of indexes.conf would break splunk.

It's impossible to safely handle this type of path correctly on unix, so it should not work (backslash is a valid character in a dirname). I think, however, someone in engineering decided to "just make it work" unsafely. Diag is not willing to let this slide.

You should really use forward slashes on unix, the backslashes are not valid. These days forward slashes work on both platforms (a long time ago they did not.)

I-Man · ‎08-22-2013

Woops, yes i did move everything from windows to linux. Now i have folders in splunk/var/lib named "splunk\randomlogs\db" and "splunk\randomlogs\colddb" and "splunk\randomlogs\thaweddb" instead of a randomlogs directory and sub directories for db, colddb, and thawed. So far this hasn't caused any issues aside from the diag output. Aside from being a mess, is it ok to leave it this way or will this have further negative consequences?

Splunk diag error messages, No directory sepatator found

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?