Solved: Why is the walklex command not working?

julienoud · ‎07-05-2018

Hello splunkers,
I'm trying to visualize one of my .tsidx file with the splunk "walklex" command, in order to see my segmentation improvements. Here is my code (Windows command line)

set SPLUNK_HOME=C:\Program Files\Splunk
cd %Splunk_HOME%\bin> splunk cmd walklex %SPLUNK_HOME%\var\lib\splunk\my_index\db\db_xxxxxx_xxxxxx_3\my_tsidx_file.tsidx ""

And i got the followind error : ERROR: enable to open C:\Program wrc=[-4,2]

Does anyone has an idea please?

RHASQaL · ‎07-05-2018

Hi

I tried the walklex command on a tsidx file in a hot db folder with Splunk running and received the same error as you reported. I then copied the file to another folder (C:\Temp) and reran the command using splunk cmd walklex C;\Temp\my_tsidx_file.tsidx "" and the command worked. So I'm suspecting the rc[4,2] relates to the file being locked.

View solution in original post

RHASQaL · ‎07-05-2018

Hi

I tried the walklex command on a tsidx file in a hot db folder with Splunk running and received the same error as you reported. I then copied the file to another folder (C:\Temp) and reran the command using splunk cmd walklex C;\Temp\my_tsidx_file.tsidx "" and the command worked. So I'm suspecting the rc[4,2] relates to the file being locked.

julienoud · ‎07-05-2018

Thank you RHASQaL it works very well, you've had a nice reflex here 🙂

Why is the walklex command not working?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?