Archive
Highlighted

With Red Hat Enterprise Linux(RHEL) 7.5 and a Splunk Forwarder, what is the command to start the Splunk service?

New Member

What is the command to start the Splunk service? Or better, what is the Splunk service name?

Tried splunk and splunkd

This is RHEL 7.5 and Splunk Fowarder splunkforwarder-7.1.3-51d9cac7b837-linux-2.6-x86_64.rpm

Tags (2)
0 Karma
Highlighted

Re: With Red Hat Enterprise Linux(RHEL) 7.5 and a Splunk Forwarder, what is the command to start the Splunk service?

SplunkTrust
SplunkTrust

It depends on your environment. To start Splunk manually, use $SPLUNK_HOME/bin/splunk start.

To start Splunk automatically, you must enable boot-start. Run $SPLUNK_HOME/bin/splunk enable boot-start as root to have the forwarder run as root every time the server restarts. This is not optimal, however, as running non-OS processes as root could pose a security risk. A better option is to edit /etc/init.d/splunk to start Splunk as a different user.

Some systems use systemctl to start services at boot time. Talk to your Linix admin about that.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: With Red Hat Enterprise Linux(RHEL) 7.5 and a Splunk Forwarder, what is the command to start the Splunk service?

New Member

Hi Rich, that did help and I was able to get to that folder. I will try to use the user splunk splunk:

I'm trying to follow the next steps and get it to contact my Splunk indexer.

I added the FW command
Step 5. firewall-cmd --zone=public --add-port=8089/tcp –permanent
Step 5. firewall-cmd --zone=public --add-port=9998/tcp –permanent
Step 6. firewall-cmd –reload

I use a splunk deploy app and

These "apps" are installed into /etc/apps (reverse the slashes if on windows, but still the same path). A properly configured forwarder will have the following apps installed:

use_splunkdeploy  (installs config required to talk to the deployment server)

I've edited my inputs.conf to add index. hostname was already there.
I've restarted splunk but I'm not getting any traffic or the fwdtocluster_ssl folder not being created. I'm checking FW logs and not even seeing the block. What should I check next?

Splunk Service is running,
input.conf updated
config files uploaded
Local FW ports opened

0 Karma
Highlighted

Re: With Red Hat Enterprise Linux(RHEL) 7.5 and a Splunk Forwarder, what is the command to start the Splunk service?

SplunkTrust
SplunkTrust

So now you're doing more than just starting Splunk.
You've opened port 9998 in your firewall. Is that the port you've configured on both the forwarder and indexer? Is the indexer set to receive data?
What is the fwdtocluster_ssl folder? It's not a Splunk folder so the forwarder will not create it.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: With Red Hat Enterprise Linux(RHEL) 7.5 and a Splunk Forwarder, what is the command to start the Splunk service?

Engager

$SPLUNK_HOME/bin/splunk enable boot-start -user $user will configure the Splunk service to run as $user.

0 Karma
Highlighted

Re: With Red Hat Enterprise Linux(RHEL) 7.5 and a Splunk Forwarder, what is the command to start the Splunk service?

SplunkTrust
SplunkTrust

As an alternative modify /opt/splunk/etc/splunk-launch.conf and set the OS user parameter in there to splunk
Or follow the steps in Configure Splunk Enterprise to start at boot time

0 Karma