After upgrading my lab to 6.3.0 the search heads are reporting this error when no index is explicitly supplied in the search
3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
[INDEXER1] Could not find an index named "_blocksignature".
I checked the spec file for indexes.conf and there is no mention of _blocksignature in the latest version, it does exist in earlier versions though. I tried to create the index and received this error from my master node
In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered: Invalid stanza [_blocksignature] in /opt/splunk/etc/master-apps/_cluster/local/indexes.conf, line 1. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.
Has anyone else experienced this? Any suggestions?
The issue ended up being an outdated version of indexes.conf in /etc/slaveapps/_cluster/default/indexes.conf
Simply deploying the cluster bundle to your indexers after an upgrade should prevent/resolve this issue.
Thanks to everyone for the comments that lead me to my solution.
The issue ended up being an outdated version of indexes.conf in /etc/slaveapps/_cluster/default/indexes.conf
Simply deploying the cluster bundle to your indexers after an upgrade should prevent/resolve this issue.
Thanks to everyone for the comments that lead me to my solution.
I have the same problem, tried many debug commands and search hard here
But still can not find the answer
When run any search command on search bar then message shows
Said as you mentioned "[Indexer...] Could not find an index named "_blocksignature".
Did not find configuration file,etc/slaveapps/_cluster/default/indexes.conf
Only can find an conf file in etc/master-apps/_cluster/default/indexes.conf
indexes.conf contents are followings------
[main]
repFactor = auto
[history]
repFactor = auto
[summary]
repFactor = auto
[_internal]
repFactor = auto
[_audit]
repFactor = auto
[_thefishbucket]
repFactor = auto
[_telemetry]
homePath = $SPLUNK_DB/_telemetry/db
coldPath = $SPLUNK_DB/_telemetry/colddb
thawedPath = $SPLUNK_DB/_telemetry/thaweddb
repFactor = auto
[splunklogger]
repFactor = auto
-----End of indexes.con
Any suggestion ?Thank you very much
mhuang3
Use btool to find it in one of your indexes conf files.
Try this command, it will tell you what file(s) contain _blocksignature.
./splunk cmd btool indexes list --debug | grep _blocksignature
just a thought,....you don't possibly have a copy of an older indexes.conf in a local directory somewhere on your search heads do you?
splunk btool indexes list _blocksignatrue --debug
also may be worth checking to see if it's specifically listed in an authorize.conf somewhere too? Not sure if that has an effect on search.
Might be a job for grep:
grep -R _blocksignature /opt/splunk/etc
Check if your role has that index as permission/default from your pre-upgrade settings.
Thanks for the comment. I should have mentioned that I explored that possibility. My role searches all non-internal indexes by default and can search all internal and non-internal indexes.