Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Migrated to new server, not displaying results for old index

jsb22
Path Finder
‎03-06-2012 05:43 AM

I have just gone through the process of migrating to a new server, I did the following:

  • Installed splunk on new server & did basic configurations (Authentication, etc)
  • Copied a custom app with custom dashboards
  • Stopped the old and new server
  • Copied the indexes from the old server to the new server
  • Copied the indexes.conf over to the new server
  • Started the new server
  • Ensured the indexes were enabled by default for the user role i'm using

When I check my custom dashboards, they are only showing results for items that have come in since I started the new server. All indexes are named the same, and it appears it's seeing it because it's showing new events, just not the old ones. Also, the servers are running the same versions.
Any ideas?

UPDATE:
The splunkd.log is reflecting the following:
-0400 ERROR DatabaseDirectoryManager - failed to open <>\db\db_1330693566_1330645912_92.sizeManifest4.1 for writing size (Access is denied.)

Permission issue? Anyone know the default permission set for an index folder on Server 2008 R2?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎03-13-2012 05:11 PM

You need to ensure that the User running Splunk (by default the 'Local System User' on a Windows instance) has full access permissions to the $SPLUNK_DB location. When Splunk starts up, it will run through a validation check on existing index directories to verify that it has the correct permissions to create & modify files in those locations.

The user needs full permissions, read + write

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎03-13-2012 05:11 PM

You need to ensure that the User running Splunk (by default the 'Local System User' on a Windows instance) has full access permissions to the $SPLUNK_DB location. When Splunk starts up, it will run through a validation check on existing index directories to verify that it has the correct permissions to create & modify files in those locations.

The user needs full permissions, read + write

0 Karma
Reply
Solved! Jump to solution

jsb22
Path Finder
‎03-14-2012 07:11 AM

Thank you, thats' what I needed. It appears when I copied the indexes over, the permissions only applied to the folders and not the subfolders and files. Once I applied to all, everything poped in and the errors were resolved.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...