- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk diag error messages, No directory sepat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While running splunk diag on an indexer, i received the following error messages. Any idea's as to what they mean or if there is a problem?
[root@splunk bin]# ./splunk diag
Ensuring clean temp dir...
Selected diag name of: diag-splunk.domain.org-2013-08-22
Starting splunk diag...
sh: lsb_release: command not found
No directory separator found in index path: $SPLUNK_DB\fw\db
No directory separator found in index path: $SPLUNK_DB\fw\colddb
No directory separator found in index path: $SPLUNK_DB\fw\thaweddb
No directory separator found in index path: $SPLUNK_DB\randomlogs\db
No directory separator found in index path: $SPLUNK_DB\randomlogs\colddb
No directory separator found in index path: $SPLUNK_DB\randomlogs\thaweddb
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you created your indexes.conf on a Windows machine (or with a Windows mindset)? It looks like you are using backslashes instead of forward slashes.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way to correct this in a cluster enviroment? I just checked the master and happens that the initial platform was a Windows one, however when we created our cluster, we changed to Linux. I completely forgot to change the separator in the paths, and Splunk didn't alerted me of anything going wrong during the execution of the bundle to distribute the configurations to the indexers.
So, is there any way to correct this without losing reference to the data on those indexes? Currently this is a production enviroment, and even when I'm not having big trouble other than the diag message, I would like to have it corrected, just as a good practice and for health of the enviroment.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you created your indexes.conf on a Windows machine (or with a Windows mindset)? It looks like you are using backslashes instead of forward slashes.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you getting any new events into these indexes? If not, you should probably correct this. Good luck.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was a time where this type of indexes.conf would break splunk.
It's impossible to safely handle this type of path correctly on unix, so it should not work (backslash is a valid character in a dirname). I think, however, someone in engineering decided to "just make it work" unsafely. Diag is not willing to let this slide.
You should really use forward slashes on unix, the backslashes are not valid. These days forward slashes work on both platforms (a long time ago they did not.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Woops, yes i did move everything from windows to linux. Now i have folders in splunk/var/lib named "splunk\randomlogs\db" and "splunk\randomlogs\colddb" and "splunk\randomlogs\thaweddb" instead of a randomlogs directory and sub directories for db, colddb, and thawed. So far this hasn't caused any issues aside from the diag output. Aside from being a mess, is it ok to leave it this way or will this have further negative consequences?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
