Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk service didn't start automatically after server reboot

mlevsh
Builder
‎07-17-2019 12:49 PM

Hi,

We have Splunk Enteprise v. 6.6.3 Heavy Forwarders.
1) We configured Splunk to start on reboot as our splunk_user by running

"$SPLUNK_HOME$/bin/splunk enable boot-start -user splunk_user"
2) /etc/init.d/splunk script was created and
SPLUNK_OS_USER was set to splunk_user in /opt/splunk/etc/splunk-launch.conf
3) our heavy forwarders are set to be rebooted once per month and it was going ok .
Splunk services were getting restarted automatically every time

4) Recently we worked with our Linux Admins to increase ulimit -n on one of heavy forwarders.
Our Unix admins made the required change on system level.
They also updated /etc/init.d/splunk script by adding the following to splunk_start() and
splunk_restart() functions:

  ulimit -Hn <value>
  ulimit -Sn  <value>

Then Splunk was stopped and server was rebooted and this time Splunk service didn't start automatically
We had to start it manually.

What could be the reason and what's the best way to troubleshoot this and fix it if needed to prevent this from happening again

Thank you in advance!

0 Karma
Reply

MuS
Legend
‎07-17-2019 01:27 PM

So, what does your /var/log/messages tell you? Looks like the recent change of /etc/init.d/splunk did not work.

cheers, MuS

0 Karma
Reply

ddrillic
Ultra Champion
‎07-17-2019 01:04 PM

We spoke about it at this thread and it might help you - How do we enable a forwarder boot-start?

0 Karma
Reply

mlevsh
Builder
‎07-17-2019 01:21 PM

@ddrillic , thank you!
I actually went through that thread and especially noted your post:
"Very interesting - yesterday we checked a server that had this /etc/init.d/splunk file but the splunk process was not started 15 days ago when the server was rebooted. We ended up rebooting the server a couple of times and in these cases, Splunk did come up. Confusing ; -) "

So it is still not clear for us why splunk auto restart worked before and didn't work this time 🙂

Reply

ddrillic
Ultra Champion
‎07-17-2019 01:39 PM

Thank you for the attention @mlevsh and the quote ; -)

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...