Splunk Search
Highlighted

Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

Builder

After upgrading my lab to 6.3.0 the search heads are reporting this error when no index is explicitly supplied in the search

3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.

    [INDEXER1] Could not find an index named "_blocksignature".

I checked the spec file for indexes.conf and there is no mention of _blocksignature in the latest version, it does exist in earlier versions though. I tried to create the index and received this error from my master node

In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered: Invalid stanza [_blocksignature] in /opt/splunk/etc/master-apps/_cluster/local/indexes.conf, line 1. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com. 

Has anyone else experienced this? Any suggestions?

Highlighted

Re: Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

SplunkTrust
SplunkTrust

Check if your role has that index as permission/default from your pre-upgrade settings.

Highlighted

Re: Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

Builder

Thanks for the comment. I should have mentioned that I explored that possibility. My role searches all non-internal indexes by default and can search all internal and non-internal indexes.

0 Karma
Highlighted

Re: Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

Champion

just a thought,....you don't possibly have a copy of an older indexes.conf in a local directory somewhere on your search heads do you?

splunk btool indexes list _blocksignatrue --debug

also may be worth checking to see if it's specifically listed in an authorize.conf somewhere too? Not sure if that has an effect on search.

Highlighted

Re: Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

SplunkTrust
SplunkTrust

Might be a job for grep:

grep -R _blocksignature /opt/splunk/etc
Highlighted

Re: Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

Builder

The issue ended up being an outdated version of indexes.conf in /etc/slaveapps/_cluster/default/indexes.conf

Simply deploying the cluster bundle to your indexers after an upgrade should prevent/resolve this issue.

Thanks to everyone for the comments that lead me to my solution.

View solution in original post

Highlighted

Re: Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

New Member

I have the same problem, tried many debug commands and search hard here
But still can not find the answer
When run any search command on search bar then message shows
Said as you mentioned "[Indexer...] Could not find an index named "blocksignature".
Did not find configuration file,etc/slaveapps/
cluster/default/indexes.conf
Only can find an conf file in etc/master-apps/cluster/default/indexes.conf
indexes.conf contents are followings------
[main]
repFactor = auto
[history]
repFactor = auto
[summary]
repFactor = auto
[
internal]
repFactor = auto
[audit]
repFactor = auto
[
thefishbucket]
repFactor = auto
[telemetry]
homePath = $SPLUNK
DB/telemetry/db
coldPath = $SPLUNK
DB/telemetry/colddb
thawedPath = $SPLUNK
DB/_telemetry/thaweddb
repFactor = auto

this index has been removed in the 4.1 series, but this stanza must be

preserved to avoid displaying errors for users that have tweaked the index's

size/etc parameters in local/indexes.conf.

[splunklogger]
repFactor = auto

-----End of indexes.con
Any suggestion ?Thank you very much

0 Karma
Highlighted

Re: Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

New Member

mhuang3
Use btool to find it in one of your indexes conf files.
Try this command, it will tell you what file(s) contain _blocksignature.
./splunk cmd btool indexes list --debug | grep _blocksignature

0 Karma