Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot an indexer not rejoining cluster after OS rebuild and data restore of /opt/splunk/ and /var/opt/splunk?

M2016G0216
Explorer
‎08-01-2016 07:28 AM

We recently had an issue with one of our indexers. We had to do a restore of /opt/splunk and /var/opt/splunk after rebuilding the OS. When I started the splunkd service, it asked me to accept the license which I thought was strange considering this was a restore of a system that's been in production since 2015. I accepted the license and it proceeded with "upgrading" the config files. After that, the system wasn't recognized by the master node and nor could I get the indexer to rejoin the cluster. I noticed that splunkd failed to run. I re-entered the passkey in clear text for pass4SymmKey in /opt/splunk/etc/system/local/server.conf and attempted to start splunkd again. This time splunkd was able to run, but the indexer couldn't communicate on port 8000 even though in the checking prerequisites it listed port 8000 as open. I got the message "Waiting for web server at https://127.0.0.1:8000 to be available." Also, I got the following error as splunkd was attempting to start when checking conf files for problems -- Can't read key file /opt/splunk/etc/auth/server.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
Couldn't initialize SSL Context for HTTPClient in ServerConfig. Any recommendations on what I should do next to get the indexer to rejoin the cluster?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

M2016G0216
Explorer
‎08-15-2016 11:55 AM

The issue was identified and resolved -- server.pem was bad due erroneous replacment, sslkeys were reset and correct server.pem used. There remained some issues with duplicate bucket ids which had to be fixed before the indexer was able to rejoin

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

M2016G0216
Explorer
‎08-15-2016 11:55 AM

The issue was identified and resolved -- server.pem was bad due erroneous replacment, sslkeys were reset and correct server.pem used. There remained some issues with duplicate bucket ids which had to be fixed before the indexer was able to rejoin

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...