Getting Data In

Not able to create '_introspection' index

thezero
Path Finder

Hi Team,

I am getting below error message when I am trying to create new index 'introspection'.
Error:
In handler 'indexes': invalid name: '_introspection'. name parameter must be non-empty and cannot start with '
' or '-'

Scenario:
We have recently upgraded our heavy weight forwarder and indexer is still running an older version.After HWF upgarded we received few warning messages in GUI like "received event for unconfigured/disabled/deletd index index="_introspection".Now splunk not allowing to create index _introspection.How can I resolve this?Please advise

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

See if this helps.
Keep in mind you can't manually create new indexes that start with _ because that is reserved for Splunk internal ones. Internal indexes don't count towards the license so it's easy to guess why this is not permitted 🙂

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

See if this helps.
Keep in mind you can't manually create new indexes that start with _ because that is reserved for Splunk internal ones. Internal indexes don't count towards the license so it's easy to guess why this is not permitted 🙂

0 Karma

javiergn
SplunkTrust
SplunkTrust

This might help too

0 Karma

Lucas_K
Motivator

See if you can create it via a local indexes.conf edit and not via the gui.

This is what it looks like in newer versions.

[_introspection]
homePath = $SPLUNK_DB/_introspection/db
coldPath = $SPLUNK_DB/_introspection/colddb
thawedPath = $SPLUNK_DB/_introspection/thaweddb
maxDataSize = 1024
frozenTimePeriodInSecs = 1209600

I am sure I did exactly this on some older indexers when customers updated their forwarders before we upgraded our own machines.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...