This is the error that I'm getting when I try to open Splunk.....
"Splunk> Now with more code!
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue"
What am I doing wrong?
I'm on a Mac OS and I'm trying to download Splunk on my laptop. I'm getting the above error and I don't know what I'm supposed to do. Is there a setting or something that I'm missing?
HI,
This is an indication that you may have Splunk deployed on top of an unsupported filesystem that does not implement required file locking mechanism. Setting that attribute in splunk-launch.conf is overriding our internal file locking test during startup.
$SPLUNK_HOME/etc/splunk-launch.conf:
OPTIMISTIC_ABOUT_FILE_LOCKING = 1
I can't even find the $SPLUNK _HOME file, which means that I can't find splunk-launch.conf. I went to the finder and looked everywhere in all of the Splunk files.
I'm using a MAC OS. Should I just uninstall and start over?
$SPLUNK_HOME is the directory where Splunk is installed. It is often referred to as this because this varies by installation OS, installation method, and package that's being installed. In your case /Applications/Splunk
is where you've installed Splunk so you're looking to edit /Applications/Splunk/etc/splunk-launch.conf
Now you should note that while making this change, you can get Splunk to run on MacOS High Sierra, and it may even work OK for some test cases & experimentation, Splunk, Inc. does not support this setup currently, and you'll want to proceed with caution. See the more official note on this question: https://answers.splunk.com/answering/593002/view.html
How can the setting be changed? I'm on a Mac OS.
Try this path :
/Applications/Splunk/etc/splunk-launch.conf
Just do as @p_grab said. Open the file and splunk_launch.conf located in $SPLUNK_HOME/etc/ and put the
OPTIMISTIC_ABOUT_FILE_LOCKING = 1
In the end of that file. $Splunk_home is the directory where Splunk is installed
I can't even find the $SPLUNK_HOME/etc/ file in all of the Splunk files in the Finder. Should I just uninstall and start over?
No.. You will have the same issue. $SPLUNK_HOME
is your variable home path. On your Mac, $SPLUNK_HOME
will represent /Applications/splunk
He is telling you to go to where Splunk is installed, then go to the /Applications/splunk/etc/splunk-launch.conf
file and add that OPTIMISITC_ABOUT_FILE_LOCAKING =1
attribute and save the file. This will fix your issue, I'm on a Mac too