Splunk® Enterprise

Troubleshooting Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Splunk Enterprise does not start due to unusable filesystem

If you receive an error message like the following when you start Splunk Enterprise on a *nix machine, it might be because the software does not know how to write to your machine filesystem.

homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem. Validating databases (splunkd validatedb) failed with code '1'.

Splunk Enterprise must be able to write to the local filesystem to index your data. Splunk provides support for many different filesystems, as described in System requirements in the Installation Manual. On machines with an unrecognized filesystem, Splunk Enterprise runs a utility called locktest that confirms whether it can work with the filesystem. If locktest fails for any reason, splunkd does not start, to prevent you from indexing data to a filesystem that it cannot write to.

The locktest utility can fail for a number of reasons:

  • The filesystem is not known, and Splunk Enterprise cannot perform the proper file locking on it.
  • The filesystem has been marked as read-only, or has otherwise been changed by the operating system.
  • A library or function that locktest uses to perform the tests is not available or cannot be loaded.

This troubleshooting topic does not apply to Splunk Enterprise instances that run on Windows machines.

Temporarily bypass filesystem checks

If you are a Splunk administrator who understands the risks, you can temporarily bypass filesystem checks to get Splunk Enterprise running again.

Configuring this setting can be dangerous and is not supported in normal operations. Irrevocable data loss can occur. You perform this action solely at your own risk. By configuring the setting, you actively bypass filesystem checks that confirm if Splunk Enterprise can run on your machine filesystem. In a production environment, you must not use this setting as a long-term solution to a filesystem problem. If you use the setting under the guidance of Splunk Support, immediately report any problems that you encounter with indexing or search.

Use the setting in one or more of the following scenarios only:

  • You are a skilled Splunk administrator and understand the risks of bypassing filesystem checks.
  • You use Splunk software in a development environment.
  • You want to recover from a situation where the default filesystem has been changed outside of your control, such as during an operating system upgrade.
  • You want to recover from a situation where a Splunk bug has invalidated a previously functional filesystem after an upgrade.
  • You want to evaluate the performance of a filesystem for which Splunk has not yet offered support.
  • You have been given explicit instruction from Splunk Support to use the setting to solve a problem where Splunk software does not start because of a failed filesystem check.
  • You understand and accept all of the risks of using the setting, up to and including losing all your data with no ability to recover it.
  1. On the machine that is experiencing the failure, open a shell prompt.
  2. Become root or an administrative equivalent with su:
    sudo su -
    
  3. Open $SPLUNK_HOME/etc/splunk-launch.conf with a text editor.

    $SPLUNK_HOME represents where you have installed Splunk Enterprise. For example, if you installed Splunk Enterprise in /opt/splunk, then you would edit /opt/splunk/etc/splunk-launch.conf.

  4. In the file, add the following line anywhere:
    OPTIMISTIC_ABOUT_FILE_LOCKING=1
    
  5. Save the file and close the text editor.
  6. Restart Splunk Enterprise.
  7. Confirm that the splunkd service has started.
Last modified on 29 March, 2018
PREVIOUS
I get errors about ulimit in splunkd.log
  NEXT
HTTP thread limit issues

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters