I'm reinstalling some UFs in my VM network. I'm using a suggestion posted in http://answers.splunk.com/answers/86950/upgrading-the-universal-forwarder-from-32bit-to-64bit
1 - backup the $SPLUNK_HOME/etc/ folder 2 - backup the $SPLUNK_HOME/var/ folder 3 - remove the old 32bit installation 4 - install the new one (same version but 64bit) 5 - copy back the etc folder to replace 6 - copy back the var folder to replace 7 - start splunk
Due to size restrictions of my /opt directory in my VMs, I'd like to wipe the .../log/splunk directory (most are over 100MB in size) before backing up the .../var directory. However, when the change is complete, I get a batch off errors like the one below. I see that my log files are still being written to, but I'm having a hard time testing what's going on in terms of indexing the sourcetype 'splunkd'. Is the error below a one time thing or will the UFs no longer tail any log files (i.e., the new ones)? If not, will they reindex on every restart or or simply not index at all? Would there be a way to correct it, via Splunk command, conf file, or refresh? Thanks!
05-21-2014 16:42:11.979 -0400 ERROR TailingProcessor - Invalid value ' ' for parameter ‘detect_trailing nulls’ for source ‘/opt/splunkforwarder/var/log/splunk/metrics.log’, sourcetype ‘splunkd’. Assuming default of ‘false’.
... View more