Hey, I am setting up a Splunk Dev env. I have one indexer, one SH, and one forwarder. I have uninstalled and reinstalled the Dev Indexer. I am trying to set it up to use two different filesystems as ...
See more...
Hey, I am setting up a Splunk Dev env. I have one indexer, one SH, and one forwarder. I have uninstalled and reinstalled the Dev Indexer. I am trying to set it up to use two different filesystems as cold/hot data. The error im receiving when i restart Splunk is Problem parsing indexes.conf: Cannot load IndexConfig: Cannot create index '_audit': path of homePath must be absolute ('$SPLUNK_HOME/data/audit/db')
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue Im not sure how to set this up correctly. I reinstalled the indexer so i could fix the mounts and storage. For the /export/opt/splunk/etc/system.local/indexes.conf, i have something like: [default]
homePath = $SPLUNK_DB/hot/$_index_name/db
coldPath = $SPLUNK_DB/cold/$_index_name/colddb For my Splunk_DB, I have tried to set it in the Splunk-Launch.conf, as shown below: # Version 9.2.0.1
# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
#
SPLUNK_HOME=/export/opt/splunk/
# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var/lib/splunk subdirectory. This can be overridden
# here:
#
SPLUNK_DB=$SPLUNK_HOME/data/
# Splunkd daemon name
SPLUNK_SERVER_NAME=Splunkd
# If SPLUNK_OS_USER is set, then Splunk service will only start
# if the 'splunk [re]start [splunkd]' command is invoked by a user who
# is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
# (This setting can be specified as username or as UID.)
#
# SPLUNK_OS_USER
PYTHONHTTPSVERIFY=0
PYTHONUTF8=1
ENABLE_CPUSHARES=true