Re: macOS Sierra 10.12 kills Splunk

hochit · ‎09-21-2016

Quite surprised no one reported this. I can't run Splunk anymore even fresh install on macOS Sierra.
Probably Splunk should alert users/engineers not to upgrade macOS before it's fixed.

        Checking indexes...
homePath='/Users/philip/Projects/splunk_demo2/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.
Validating databases (splunkd validatedb) failed with code '1'.  If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue

ChrisG · ‎03-28-2018

There is information--and warnings--about this in the documentation now: Splunk Enterprise does not start due to unusable file system.

mvanorshoven · ‎10-12-2016

Hi Folks,

I did this but I still get the following error message. I suspect I'm doing something really, really dumb. If you could point me in the right direction, that would be great.

Yorokobi · ‎12-05-2017

You need to tell your macOS firewall to allow connections to :8000. When you first launch Splunk Enterprise you should have been presented with a dialogue box asking to allow or deny access.

malmoore · ‎09-22-2016

The System Requirements page does not list MacOS 10.12 Sierra as a supported operating system for Splunk Enterprise at this time.

You are welcome to install it on that version of MacOS but you do so solely at your own risk. Overriding file system lock check is not the best look.

We will advise on the page I linked when support for MacOS 10.12 is available and supported.

hochit · ‎09-21-2016

Got answer from Splunk guy. We can add following line to $SPLUNK_HOME/etc/splunk-launch.conf

OPTIMISTIC_ABOUT_FILE_LOCKING = 1

hpark9090 · ‎04-22-2018

How should I add line to $SPLUNK_HOME/etc/splunk-launch.conf? I have no idea where I can find this conf file.

malmoore · ‎04-24-2018

If the file doesn't exist, you simply need to create it and place the above line in it.

sloshburch · ‎05-04-2018

Hmmm. I am surprised to hear about a deployment where that file doesn't exist. Is this merely a scenario of $SPLUNK_HOME not already defined? Did you change that to where Splunk is installed (like /opt/splunk/)?

Dimxxx · ‎10-20-2017

Works on macOS High Sierra 10.13 (17A405)

malmoore · ‎09-22-2016

If you are concerned about your data in any way then you should not not not do this. This variable basically drops all filesystem lock checks and any data you store might or might not be retrievable.

There is no support yet for MacOS 10.12. We're working on it, and when it's ready, we'll make sure everybody knows.

If you are doing this as a test, then go right ahead, but you assume all risk for your data otherwise.

michaelmundi · ‎03-24-2017

Hello Malmoore,

Does Splunk now have support for apple 10.12 unified logs ?
Please, advise.

Thanks

woodcock · ‎09-22-2016

You should click Accept on your answer.

macOS Sierra 10.12 kills Splunk

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout