Installation

ERROR :: ‘homePath’ - Splunk won't start on 4.1.4 upgrade

mmstrauss
New Member

Hi there,

I've read the other questions/answers on this issue but I need some further assistance please?

Can someone please advice which index I need to change to remove the reference to [splunklogger] as I'm having a difficult time finding the right index to edit.

Tags (1)
0 Karma

hexx
Splunk Employee
Splunk Employee

During the first start up after the upgrade, Splunk tries to validate the existence of all declared indexes in the indexes.conf found in your configuration directories.

Even if an index is disabled with "disabled = true" or by being present in the indexes.conf of a disabled app, Splunk will freak out if it cannot locate it's "homePath" (whether it's the default one in $SPLUNK_DB or a custom one specified in indexes.conf).

The quickest way to troubleshoot this problem is to compare the output of two commands.

The first one displays all existing index configuration stanzas across all indexes.conf :

# find $SPLUNK_HOME/etc/ -name indexes.conf | xargs grep ^\\[

The second command will list the directories present in $SPLUNK_DB ($SPLUNK_HOME/var/lib/splunk/ by default), which is the default "homePath" for each index if no other value for that parameter is specified.

# ls -l $SPLUNK_DB

or

# ls -l $SPLUNK_HOME/var/lib/splunk/

If the first command shows an index that is not present in $SPLUNK_DB and that index doesn't have a setting for "homePath" that points to an existing directory, you should consider disabling that index stanza in that configuration file by preceding it with a "#".

Typical culprits are "splunklogger" (which has been deprecated and is often present but disabled) and "os" (which is often present in disabled apps like "unix" or "nixLF").

This is particularly effective on a forwarder where there shouldn't be any indexes configured other than what can be found in $SPLUNK_DB.

Here's a typical scenario :

1) Which index directories exist?

# ls -l $SPLUNK_DB

total 52
drwx--x--x 5 root root 4096 Jun 25 16:29 audit
drwx--x--x 2 root root 4096 Jun 25 10:14 authDb
drwx--x--x 5 root root 4096 Jun 25 16:29 blockSignature
drwx--x--x 5 root root 4096 Jun 25 16:29 defaultdb
drwx--x--x 6 root root 4096 Jun 25 16:29 fishbucket
drwx--x--x 2 root root 4096 Jun 25 16:29 hashDb
drwx--x--x 5 root root 4096 Jun 25 16:29 historydb
drwx--x--x 5 root root 4096 Jun 25 16:29 _internaldb
drwx------ 2 root root 4096 Jun 25 16:29 persistentstorage
drwx------ 2 root root 4096 Jun 25 16:27 queues
drwx--x--x 5 root root 4096 Jun 25 16:29 sample
drwx--x--x 5 root root 4096 Jun 25 16:29 splunkloggerdb
drwx--x--x 5 root root 4096 Jun 25 16:29 summarydb

2) Which indexes are declared in the configuration files?

# find $SPLUNK_HOME/etc/ -name indexes.conf | xargs grep ^\\[

etc/system/default/indexes.conf:[main]
etc/system/default/indexes.conf:[history]
etc/system/default/indexes.conf:[summary]
etc/system/default/indexes.conf:[_internal]
etc/system/default/indexes.conf:[_audit]
etc/system/default/indexes.conf:[_thefishbucket]
etc/system/default/indexes.conf:[_blocksignature]
etc/system/default/indexes.conf:[splunklogger]
etc/apps/sample_app/default/indexes.conf:[sample]
etc/apps/nixLF/default/indexes.conf:[main]
etc/apps/nixLF/default/indexes.conf:[history]
etc/apps/nixLF/default/indexes.conf:[summary]
etc/apps/nixLF/default/indexes.conf:[_internal]
etc/apps/nixLF/default/indexes.conf:[_audit]
etc/apps/nixLF/default/indexes.conf:[_blocksignature]
etc/apps/nixLF/default/indexes.conf:[splunklogger]
etc/apps/unix/default/indexes.conf:[os]
etc/apps/SplunkLightForwarder/default/indexes.conf:[main]
etc/apps/SplunkLightForwarder/default/indexes.conf:[history]
etc/apps/SplunkLightForwarder/default/indexes.conf:[summary]
etc/apps/SplunkLightForwarder/default/indexes.conf:[_internal]
etc/apps/SplunkLightForwarder/default/indexes.conf:[_audit]
etc/apps/SplunkLightForwarder/default/indexes.conf:[_blocksignature]
etc/apps/SplunkLightForwarder/default/indexes.conf:[splunklogger]

This revealed the following culprits :

etc/apps/unix/default/indexes.conf:[os]
etc/system/default/indexes.conf:[splunklogger]
etc/apps/nixLF/default/indexes.conf:[splunklogger]
etc/apps/SplunkLightForwarder/default/indexes.conf:[splunklogger]

The "splunklogger" index was disabled everywhere it was declared with "disabled = true", and the "os" index was not in use as the unix app was disabled. Once these stanzas and all of their associated parameters were commented out, the upgrade worked!

gkanapathy
Splunk Employee
Splunk Employee

You should just need to edit indexes.conf, probably in etc/system/local and/or etc/apps/search/local

0 Karma

Brian_Osburn
Builder

I had this problem with my forwarders when copying deployments from a 4.1.3 instance to a 4.1.4 instance.

I ended up modifying the inputs.conf & indexes.conf to delete the references to splunklogger..

Brian

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...