It depends on your environment. To start Splunk manually, use
To start Splunk automatically, you must enable boot-start. Run
$SPLUNK_HOME/bin/splunk enable boot-start as root to have the forwarder run as root every time the server restarts. This is not optimal, however, as running non-OS processes as root could pose a security risk. A better option is to edit /etc/init.d/splunk to start Splunk as a different user.
Some systems use systemctl to start services at boot time. Talk to your Linix admin about that.
Hi Rich, that did help and I was able to get to that folder. I will try to use the user splunk splunk:
I'm trying to follow the next steps and get it to contact my Splunk indexer.
I added the FW command
Step 5. firewall-cmd --zone=public --add-port=8089/tcp –permanent
Step 5. firewall-cmd --zone=public --add-port=9998/tcp –permanent
Step 6. firewall-cmd –reload
I use a splunk deploy app and
These "apps" are installed into /etc/apps (reverse the slashes if on windows, but still the same path). A properly configured forwarder will have the following apps installed:
use_splunkdeploy (installs config required to talk to the deployment server)
I've edited my inputs.conf to add index. hostname was already there.
I've restarted splunk but I'm not getting any traffic or the fwdtocluster_ssl folder not being created. I'm checking FW logs and not even seeing the block. What should I check next?
Splunk Service is running,
config files uploaded
Local FW ports opened
So now you're doing more than just starting Splunk.
You've opened port 9998 in your firewall. Is that the port you've configured on both the forwarder and indexer? Is the indexer set to receive data?
What is the fwdtocluster_ssl folder? It's not a Splunk folder so the forwarder will not create it.
$SPLUNK_HOME/bin/splunk enable boot-start -user $user will configure the Splunk service to run as