I have no idea where this message is coming from. I see the subject message in the WebUI but when I restart splunk it tells me all is OK. Here is the output from a restart:
[dev]root@ip-10-94-18-55:/opt/splunk/etc/users:#/opt/splunk/bin/splunk restart
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
............. [ OK ]
Stopping splunk helpers...
[ OK ]
Done.
Splunk> Needle. Haystack. Found.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket aws_anomaly_detection aws_topology_daily_snapshot aws_topology_history aws_topology_monthly_snapshot aws_topology_playback aws_vpc_flow_logs history main summary
Done
Bypassing local license checks since this instance is configured with a remote license master.
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [ui] in /opt/splunk/etc/apps/SA-ge_splunk_health/local/app.conf, line 12: version (value: 1.0).
Invalid key in stanza [calendar_heatmap] in /opt/splunk/etc/apps/calendar_heatmap_app/default/visualizations.conf, line 6: supports_drilldown (value: True).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-6.5.2-67571ef4b87d-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[ OK ]
Waiting for web server at https://127.0.0.1:8000 to be available................. Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at https://ip-10-94-18-55:8000
I ran the REST API call to https://10.94.18.55:8089/services/server/status/installed-file-integrity and it tells me that the file /opt/splunk/etc/users/users.ini has been modified. What am I missing here?
ANy help is MUCH apprecaietd as this is very annoying.
on my Splunk 6.5.1 Linux box, users.ini is empty:
0 -r--r--r--. 1 splunk splunk 0 Nov 18 2016 users.ini
go to a fresh Splunk instance, copy /opt/splunk/etc/users/users.ini from the fresh instance to yours, be sure to keep the file modified times ... restart.
this will go away
WHen I do this splunk complains about the missing [contrains-uppercase] section. So unfort this did not work.
[contains-uppercase]
212631038" = 212631038_.7c4b2bdd6b5f9690f1813a7ab9d6e76a
212611170" = 212611170_.d3b52ce6b4e8fdfbf8ec32f6d9f015ba
same version/edition of Splunk on both?
(and which version/OS are we talking about?
did you edit some files under the default folders ?
The file is /opt/splunk/etc/users/users.ini that it is complaining about.
I would never do that, so no.