Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Migrated to new server, not displaying results for old index

jsb22
Path Finder
‎03-06-2012 05:43 AM

I have just gone through the process of migrating to a new server, I did the following:

  • Installed splunk on new server & did basic configurations (Authentication, etc)
  • Copied a custom app with custom dashboards
  • Stopped the old and new server
  • Copied the indexes from the old server to the new server
  • Copied the indexes.conf over to the new server
  • Started the new server
  • Ensured the indexes were enabled by default for the user role i'm using

When I check my custom dashboards, they are only showing results for items that have come in since I started the new server. All indexes are named the same, and it appears it's seeing it because it's showing new events, just not the old ones. Also, the servers are running the same versions.
Any ideas?

UPDATE:
The splunkd.log is reflecting the following:
-0400 ERROR DatabaseDirectoryManager - failed to open <>\db\db_1330693566_1330645912_92.sizeManifest4.1 for writing size (Access is denied.)

Permission issue? Anyone know the default permission set for an index folder on Server 2008 R2?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎03-13-2012 05:11 PM

You need to ensure that the User running Splunk (by default the 'Local System User' on a Windows instance) has full access permissions to the $SPLUNK_DB location. When Splunk starts up, it will run through a validation check on existing index directories to verify that it has the correct permissions to create & modify files in those locations.

The user needs full permissions, read + write

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎03-13-2012 05:11 PM

You need to ensure that the User running Splunk (by default the 'Local System User' on a Windows instance) has full access permissions to the $SPLUNK_DB location. When Splunk starts up, it will run through a validation check on existing index directories to verify that it has the correct permissions to create & modify files in those locations.

The user needs full permissions, read + write

0 Karma
Reply
Solved! Jump to solution

jsb22
Path Finder
‎03-14-2012 07:11 AM

Thank you, thats' what I needed. It appears when I copied the indexes over, the permissions only applied to the folders and not the subfolders and files. Once I applied to all, everything poped in and the errors were resolved.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...