Hi,
I currently have four instances of Splunk, which are synchronised on a daily basis (the first instance pushes updates to the rest).
A couple of days ago I noticed that the regex for two extracted fields have changed somehow so the searches wouldn't work anymore. When I altered the regex for them, everything worked fine until the next day - I realised that the changes have completely reverted after splunk service restarted. I also found these error messages when I ran "./splunk btool check --debug " (there are more of them, for all splunk users):
No spec file for: /opt/splunk/etc/apps/user-prefs/default/user-
No spec file for: /opt/splunk/etc/system/default/conf.conf
No spec file for: /opt/splunk/etc/system/default/datatypesbnf.c
No spec file for: /opt/splunk/etc/system/default/default-mode.c
No spec file for: /opt/splunk/etc/system/default/prefs.conf
Not sure if that's the reason for why changes are not saved or if it's just a separate issue, but I would still like to fix these.
Can anyone help, please?
What are spec files and could I possibly recover them if they were lost maybe, etc?
Thank you and have a great weekend 🙂
... View more