Getting Data In

UF not sending any data - The pipeline indexerPipe threw an exception during initialize

abonuccelli_spl
Splunk Employee
Splunk Employee

Hi,

I have configured a Universal Forwarder with inputs, outputs, I can see in Debug all the monitored files are detected, however it looks like it will not send any data?
In the logs I can see:

05-12-2014 15:03:28.084 +0100 INFO IndexProcessor - Initializing: readonly=false reloading=false
05-12-2014 15:03:28.084 +0100 ERROR IndexConfig - stanza=default Required parameter=blockSignatureDatabase not configured
05-12-2014 15:03:28.084 +0100 ERROR IndexProcessor - Index configuration error: stanza=default Required parameter=blockSignatureDatabase not configured
05-12-2014 15:03:28.084 +0100 ERROR pipeline - Index configuration error: stanza=default Required parameter=blockSignatureDatabase not configured
05-12-2014 15:03:28.084 +0100 ERROR PipelineComponent - The pipeline indexerPipe threw an exception during initialize
05-12-2014 15:03:28.084 +0100 INFO PipelineComponent - Shutting down system due to fatal error

what is the problem?

0 Karma
1 Solution

abonuccelli_spl
Splunk Employee
Splunk Employee

You might want to check that

You might have the SplunkUniversalForwarder app 'disabled' via state parameter in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default/app.conf

$SPLUNK_HOME/cat etc/apps/SplunkUniversalForwarder/default/app.conf 
#Version @SPLUNK_VERSION@ 
[default]

[install] 
state = enabled

If disabled, turn to enabled as in the above example

View solution in original post

abonuccelli_spl
Splunk Employee
Splunk Employee

You might want to check that

You might have the SplunkUniversalForwarder app 'disabled' via state parameter in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default/app.conf

$SPLUNK_HOME/cat etc/apps/SplunkUniversalForwarder/default/app.conf 
#Version @SPLUNK_VERSION@ 
[default]

[install] 
state = enabled

If disabled, turn to enabled as in the above example

k2skaterii
Path Finder

Thanks for that! While not the fix to my exact problem, this answer got me on the path to figure out the problem in just a few short minutes.

In my case it wasn't that the $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default/app.conf was misconfigured...

In my case it turns out that a poorly thought out workaround to another problem ended up deleting everything in the $SPLUNK_HOME/etc/apps/ folder. Including the whole SplunkUniversalForwarder folder.

0 Karma

ryanhast
Explorer

I had this issue on a UF running on windows. The UF was missing the $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/. I ran a repair from the windows "Programs and Features". After the repair $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/ was present and error went away.
Splunk UF 6.2.6.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...