Hello fellow Splunkers,
We've been tracking down and resolving our Splunkd errors and warnings. This one has us perplexed:
WARN ExecProcessor - message from ""C:\program files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" BundlesUtil - C:\program files\SplunkUniversalForwarder\etc\system\metadata\local.meta already exists but with different casing: C:\Program Files\SplunkUniversalForwarder\etc\system\metadata\local.meta
The difference is "program files" vs. "Program Files". I know it's just a warning and has no impact, but I'd still like to resolve it as it happens every minute on all of our forwarders filling up the splunkd logs. I also do not want to change the logging as ExecProcessor contains many useful warnings. The closest answer I've found online is here*, although that one has to do with the case of the app name instead of the $SplunkHome full path.
The only thing I can think of that may have caused this is that we upgrade our forwarders automatically. We are a 100% Windows environment. We achieve this with a scripted input that sends the value of %SPLUNK_HOME%
to PowerShell via a command/batch file that uses msiexec to upgrade the forwarders. The value of %SPLUNK_HOME%
is sent by Splunk to all scripted inputs (it is not an environment variable). I'm guessing that SPLUNK_HOME is lower()ed by Splunk which is causing some mismatch that Splunk later checks for some reason. However, I have no idea how to resolve the issue.
* https://answers.splunk.com/answers/137700/when-trying-to-schedule-a-pdf-email-delivery-i-receive-the...
I was able to resolve the warnings by uncommenting the line below in $SPLUNK_HOME\etc\splunk-launch.cfg
, capitalizing the P and F in Program Files
, and restarting the SplunkForwarder service.
# SPLUNK_HOME=C:\program files\SplunkUniversalForwarder
Alternatively, you can run the following command as the account that Splunk is running as on the Windows VM with the forwarder installed in an elevated cmd prompt (Run as Administrator).
SETX $SPLUNK_HOME "C:\Program Files\SplunkUniversalForwarder"
Whether or not this should be done is another question (this is not a production environment).
http://dev.splunk.com/view/quickstart/SP-CAAAFDH
I was able to resolve the warnings by uncommenting the line below in $SPLUNK_HOME\etc\splunk-launch.cfg
, capitalizing the P and F in Program Files
, and restarting the SplunkForwarder service.
# SPLUNK_HOME=C:\program files\SplunkUniversalForwarder
Alternatively, you can run the following command as the account that Splunk is running as on the Windows VM with the forwarder installed in an elevated cmd prompt (Run as Administrator).
SETX $SPLUNK_HOME "C:\Program Files\SplunkUniversalForwarder"
Whether or not this should be done is another question (this is not a production environment).
http://dev.splunk.com/view/quickstart/SP-CAAAFDH