To be more specific, anyone know when there will be full support for RHEL 7? With services being moved over to systemd, Splunk is still using the deprecated init.d script.
I have moved it over to a systemd service script and running it manually will stop, start, and restart the service but if I update an application and restart it through the browser it just stops the service.
You would think that since almost every linux OS is going to systemd, and has been for years now, that Splunk would update its software to recognize and do both.
The truth is most companies still fear systemd 🙂 and admins are still catching up to the reality in large organisations.
I've used the workaround for quite long now as per https://answers.splunk.com/answers/59662/is-there-a-systemd-unit-file-for-splunk.html
sudo systemctl enable splunkd
Summary of the issue:
Splunk 6.0.0 - Splunk 7.2.1 defaults to using init.d when enabling boot start
Splunk 7.2.2 - Splunk 7.2.9 defaults to using systemd when enabling boot start
Splunk 7.3.0 - Splunk 8.x defaults to using init.d when enabling boot start
systemd defaults to prompting for root credentials upon stop/start/restart of Splunk
Here is a simple fix if you have encountered this issue and prefer to use the traditional init.d scripts vs systemd.
Splunk Enterprise/Heavy Forwarder example (note: replace the splunk user below with the account you run splunk as):
sudo /opt/splunk/bin/splunk disable boot-start
sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 0
Splunk Universal Forwarder example (note: replace the splunk user below with the account you run splunk as):
sudo /opt/splunkforwarder/bin/splunk disable boot-start
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user splunk -systemd-managed 0
The init script doesn't bother me that much; the bigger pain is Splunk_TA_nix needing updated; specifically the service list that is practically useless. Red Hat 7 has only been out 3.5 years, you would think they would want to be able to easily list the service on a server considering its importance for security and operations. We do have support and I've opened support cases, I've spoken to people to try and get this on the road map, but they don't seem to really care.
The truth is most companies still fear systemd 🙂 and admins are still catching up to the reality in large organisations.
I've used the workaround for quite long now as per https://answers.splunk.com/answers/59662/is-there-a-systemd-unit-file-for-splunk.html
sudo systemctl enable splunkd