Installation

After upgrading to Splunk 6.3, why am I getting a "Found stanza=_blocksignature in indexes.conf" error and am unable to find this stanza running btool?

tjohnson2
Explorer

I'm getting the following error after I upgraded to Splunk 6.3:

Search peer Splunk has the following message: Found stanza=_blocksignature in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.

After running the btool command, I'm still unable to find this stanza in indexes.conf. Has anyone seen this issue before?

Labels (1)

doksu
SplunkTrust
SplunkTrust

This command will tell you which app the indexes.conf _blocksignature stanza resides in:

/opt/splunk/bin/splunk btool --debug-print=app indexes list _blocksignature | head -1 | awk '{print $1}'

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Is this on a standalone instance or in a distributed environment?

In distributed environment, you need to remove the the _blocksignature index configuration from the Master-Apps on the Master Node, and apply the bundle.

In standalone environments, this will most likely be in $splunk_home/etc/system/local if you have upgraded. You can check the default also for this, but it shouldn't be in there after the upgrade.

Krishnagrandhi
Explorer

If it's distributed environment and clustering is not implemented, remove _blocksignature index configuration from the indexes.conf file (on Deployment server if exists) then reload config.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...