Getting Data In

Why is there a Problem parsing indexes.conf and throwing an error?

perlish
Communicator

Hi, i restall the splunk
Then i copied the old /splunk/var/ to the new /opt/splunk/
But when i start splunk,i met this error

Problem parsing indexes.conf: default index disabled - quit!
Validating databases (splunkd validatedb) failed with code '1'. Please file a case online at http://www.splunk.com/page/submit_issue

And then i copied the all old indexes.conf to overwrite the new indexes.conf

But still this error

Labels (2)
Tags (2)

yannK
Splunk Employee
Splunk Employee

usually, this is because splunk detected a duplicate bucket id in your main index.
see http://splunk-base.splunk.com/answers/34811/how-can-i-find-all-duplicate-bucket-ids-that-are-causing...

to fix :

  • check the logs $SPLUNK_HOME/var/log/splunk/splunkd.log to find the culprit buckets.
  • identify them and fix them (increment the bucket id should be enough)
  • edit the indexes.conf to re-enable the main index.
  • restart splunk.
  • it it fails restart the procedure.

yashjain
New Member

Same. I don't even have splunkd.log in my 'splunk' folder.

0 Karma

jsven7
Communicator

I don't even have an splunkd.log in "splunk" folder.

0 Karma

snickered
Path Finder

I just ran into this. My $SPLUNK_HOME/etc/system/local/indexes.conf had:

[main] disabled = 1

I changed that over to 0 and I was good. I suspect I mucked things up when I ran splunk as root then tried to reboot at which time it tried to start as user splunk. I had to fix several file permission issues. I found out everything (so far) was fixed with 'chmod -R splunk $SPLUNK_HOME'.

hexx
Splunk Employee
Splunk Employee

This is usually caused by the improper use of an inline comment in indexes.conf. For example:

homePath = /data/sandwich_security/db. # Gotta keep an eye on those sandwiches!

This can prevent splunkd from parsing your indexes.conf.

0 Karma

kubermensch
Engager

Hello @hexx ,

Apologies for following up on this 11 years old thread...

This is usually caused by the improper use of an inline comment in indexes.conf.


I couldn't find anything in official documentation that inline comments are disallowed in indexes.conf. But maybe i just didn't look at the right place.

Could you confirm that inline comments are disallowed in indexes.conf please?

(and if its allowed in other config files generally or a specific list of files?)

 

PS: i checked v9.1.0 Indexes.conf  and v9.1.0 Inputs.conf 

 

Cheers,

A;

 


 

0 Karma

kubermensch
Engager

Its described here (thanks to my colleague at Amadeus)

https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Howtoeditaconfigurationfile#Where_not_to_pu...

I'd be interested to know why this weird behaviour was chosen.

isoutamo
SplunkTrust
SplunkTrust

Probably it's not chosen, it's just "lazy" coding for input checking and extractions.
You could create an idea for fix this on ideas.splunk.com.

Add:

I actually create a new idea for it https://ideas.splunk.com/ideas/EID-I-2035

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...