All Apps and Add-ons

Why Splunkd won't start after after installing app Encrypt and Decrypt data within Events?

neiljpeterson
Communicator

I installed this app and Splunk would not restart afterwards. I went the command line and this is what I got when I tried to start it.

PS D:\Splunk\bin> .\splunk.exe start

Splunk> Needle. Haystack. Found.

Checking prerequisites...
        Checking http port [443]: open
        Checking mgmt port [8089]: open
        Checking configuration... Error while parsing 'D:\Splunk\etc\apps\SplunkAppForXenDesktop\default\data\ui\views\x
d_session_list.xml':
 no element found: line 1, column 0


There were problems with the configuration files.
Would you like to ignore these errors? [y/n]:y
Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _blocksignature _internal _introspection _thefishbucket applications citrix_licensing
citrix_licensing_alerts history apps iseries main msad mssql perfmon pinger solr sos sos_summary_daily summary te
stfsmonitor testing winevents xendesktop xendesktop_alerts xendesktop_perfmon xendesktop_winevents
        Done


Bypassing local license checks since this instance is configured with a remote license master.

        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Splunkd: Stopped
PS D:\Splunk\bin>

The complaint about xd_session_list.xml is nothing new, so I doubt that is the issue. I removed the folder from \etc\apps that was installed originally, same behavior.

The only two logs with output is btool.log (3 lines) and splund-utility.log (17 lines) They contain some WARNs but no ERRORs

I am running 6.1.1

What are my next troubleshooting steps?

0 Karma
1 Solution

neiljpeterson
Communicator

Went to Event Viewer and found

The Splunkd service failed to start due to the following error:
The service did not start due to a logon failure.

Went to the service account and found that the password was changed this morning. They were under the impression that the account was not being used 😕

"What we have here is a failure to
communicate..."

😉

Why would this logon failure not be written to splunkd.log?

View solution in original post

neiljpeterson
Communicator

I didn't. I added it after you asked 😉

I would be very surprised if an app caused splunkd to not start. And in this case it had nothing to do with the app, the restart just caused the pre-existing problem to arise.

ppablo
Retired

ah sorry I didn't realize you put the version at the bottom of your post. I wasn't sure if your issue had anything to do with the app being compatible with versions 5.0 and below according to the app's page http://apps.splunk.com/app/282/

0 Karma

neiljpeterson
Communicator

Went to Event Viewer and found

The Splunkd service failed to start due to the following error:
The service did not start due to a logon failure.

Went to the service account and found that the password was changed this morning. They were under the impression that the account was not being used 😕

"What we have here is a failure to
communicate..."

😉

Why would this logon failure not be written to splunkd.log?

neiljpeterson
Communicator

Running 6.1.1

0 Karma

ppablo
Retired

Hi @neiljpeterson

What version of Splunk are you using?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...