Splunk Search

Why are my search heads looking for index _blocksignature after upgrading to 6.3.0?

dflodstrom
Builder

After upgrading my lab to 6.3.0 the search heads are reporting this error when no index is explicitly supplied in the search

3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.

    [INDEXER1] Could not find an index named "_blocksignature".

I checked the spec file for indexes.conf and there is no mention of _blocksignature in the latest version, it does exist in earlier versions though. I tried to create the index and received this error from my master node

In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered: Invalid stanza [_blocksignature] in /opt/splunk/etc/master-apps/_cluster/local/indexes.conf, line 1. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com. 

Has anyone else experienced this? Any suggestions?

1 Solution

dflodstrom
Builder

The issue ended up being an outdated version of indexes.conf in /etc/slaveapps/_cluster/default/indexes.conf

Simply deploying the cluster bundle to your indexers after an upgrade should prevent/resolve this issue.

Thanks to everyone for the comments that lead me to my solution.

View solution in original post

dflodstrom
Builder

The issue ended up being an outdated version of indexes.conf in /etc/slaveapps/_cluster/default/indexes.conf

Simply deploying the cluster bundle to your indexers after an upgrade should prevent/resolve this issue.

Thanks to everyone for the comments that lead me to my solution.

mhuang3
New Member

I have the same problem, tried many debug commands and search hard here
But still can not find the answer
When run any search command on search bar then message shows
Said as you mentioned "[Indexer...] Could not find an index named "_blocksignature".
Did not find configuration file,etc/slaveapps/_cluster/default/indexes.conf
Only can find an conf file in etc/master-apps/_cluster/default/indexes.conf
indexes.conf contents are followings------
[main]
repFactor = auto
[history]
repFactor = auto
[summary]
repFactor = auto
[_internal]
repFactor = auto
[_audit]
repFactor = auto
[_thefishbucket]
repFactor = auto
[_telemetry]
homePath = $SPLUNK_DB/_telemetry/db
coldPath = $SPLUNK_DB/_telemetry/colddb
thawedPath = $SPLUNK_DB/_telemetry/thaweddb
repFactor = auto

this index has been removed in the 4.1 series, but this stanza must be

preserved to avoid displaying errors for users that have tweaked the index's

size/etc parameters in local/indexes.conf.

[splunklogger]
repFactor = auto

-----End of indexes.con
Any suggestion ?Thank you very much

0 Karma

mathew_eagles
New Member

mhuang3
Use btool to find it in one of your indexes conf files.
Try this command, it will tell you what file(s) contain _blocksignature.
./splunk cmd btool indexes list --debug | grep _blocksignature

0 Karma

maciep
Champion

just a thought,....you don't possibly have a copy of an older indexes.conf in a local directory somewhere on your search heads do you?

splunk btool indexes list _blocksignatrue --debug

also may be worth checking to see if it's specifically listed in an authorize.conf somewhere too? Not sure if that has an effect on search.

martin_mueller
SplunkTrust
SplunkTrust

Might be a job for grep:

grep -R _blocksignature /opt/splunk/etc

martin_mueller
SplunkTrust
SplunkTrust

Check if your role has that index as permission/default from your pre-upgrade settings.

dflodstrom
Builder

Thanks for the comment. I should have mentioned that I explored that possibility. My role searches all non-internal indexes by default and can search all internal and non-internal indexes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...