Since upgrading the search heads and indexers to v 6.4 (forwarders are still v6.3) the indexers are now logging in splunkd.log the following:
04-07-2016 11:11:15.221 +1000 ERROR AuditTrailManager - Host="host::ServerNAME" cannot open D:\Program Files\Splunk\var\lib\splunk\persistentstorage\audit\seqnum_host::ServerNAME.dat for write, error="The filename, directory name, or volume label syntax is incorrect.".
04-07-2016 11:11:15.221 +1000 ERROR AuditTrailManager - Failed to save seq_no=289 for host="host::ServerNAME" to disk!
This log event is happening for EACH universal forwarder and multiple times. The indexers are Windows2012 and I'm pretty certain Windows ACL's aren't the issue as they have been checked.
On each of the (two) indexers in D:\Program Files\Splunk\var\lib\splunk\persistentstorage\audit there is only one file: seqnum_localhost.dat
What's going on? How can I fix it?
Thanks
Cam - Splunk 6.3 architect
↧