Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After editing Indexes.conf: Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured

vanderaj1
Path Finder
‎11-25-2015 08:08 PM

I was receiving the following messages on my search head, coming from one of my search peers:

Search peer has the following message: blockSignSize defined in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove all blockSignSize and blockSignatureDatabase (if present) keys from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.

Search peer has the following message: Found stanza=_blocksignature in indexes.conf. The block-signing feature is no longer available in Splunk. Please remove stanza=[_blocksignature] from the indexes.conf. For further details, please refer to the related topic in the latest version of 'Securing Splunk' manual on docs.splunk.com.

So I went into /opt/splunk/etc/system/local on my search peer and removed the references to blockSignSize and blockSignatureDatabase, as well as the _blocksignature stanza. I then restarted splunkd. However, splunkd won't come up now.

When I try to start splunkd, I now get the following error:

Problem parsing indexes.conf: stanza=_audit Required parameter=tstatsHomePath not configured
Validating databases (splunkd validatedb) failed with code '1'.

Any idea what has caused this to happen?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎11-26-2015 05:44 AM

It seems you have deleted more then just the _blocksignature related parameters. Block signature was removed from 6.3, so this error is expected and you need to remove the index configuration. Are you working in a clustered or stand alone environment? You need to fix your indexes.conf

For _audit, this is the default:

[_audit]
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary

But that is configured from $splunk_home/etc/system/default/indexes.conf. You shouldnt be editing that file..

Reply

vanderaj1
Path Finder
‎11-27-2015 01:24 PM

Very strangely, my $splunk_home/etc/system/default/indexes.conf. is missing all the tstatsHomePath entries. But I definitely know not to edit that file (big no-no). I have no idea how those entries are missing.

Just this once, would it be permissible to add the tstatsHomePath entries to the default indexes.conf file, or would that make my situation even worse?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...