I have just gone through the process of migrating to a new server, I did the following:
When I check my custom dashboards, they are only showing results for items that have come in since I started the new server. All indexes are named the same, and it appears it's seeing it because it's showing new events, just not the old ones. Also, the servers are running the same versions.
Any ideas?
UPDATE:
The splunkd.log is reflecting the following:
-0400 ERROR DatabaseDirectoryManager - failed to open <
Permission issue? Anyone know the default permission set for an index folder on Server 2008 R2?
You need to ensure that the User running Splunk (by default the 'Local System User' on a Windows instance) has full access permissions to the $SPLUNK_DB location. When Splunk starts up, it will run through a validation check on existing index directories to verify that it has the correct permissions to create & modify files in those locations.
The user needs full permissions, read + write
You need to ensure that the User running Splunk (by default the 'Local System User' on a Windows instance) has full access permissions to the $SPLUNK_DB location. When Splunk starts up, it will run through a validation check on existing index directories to verify that it has the correct permissions to create & modify files in those locations.
The user needs full permissions, read + write
Thank you, thats' what I needed. It appears when I copied the indexes over, the permissions only applied to the folders and not the subfolders and files. Once I applied to all, everything poped in and the errors were resolved.