I've been trying to get a system ready to deploy splunk on several hundred machines in a Linux/compute cluster ... we use RPM and YUM for the base OS installation and I'm trying to get 2 RPMs ready:
the stock Splunk rpm -- well, slight modification since the stock RPM deploys into /opt which is a shared/network directory for us
--> I'm relocating it to /usr/local/splunk
our specific pieces -- our license file, passwd file, and some of the ./etc/apps/ settings (search->inputs.conf and outputs.conf; SplunkLightForwarder -> app.conf)
The second rpm seems to have everything it needs, but splunk times-out when I try to start it.
Anyone have any ideas why it would not starting up properly?
Or maybe a better question is how do you handle this on your large clusters?
Even with the deployment server idea, you'd still need to have a second splunk-start process since the stock RPM doesn't fire up splunk, just deploys the files.
Or am I missing something?
[root]# rpm -i RPMS/x86_64/splunk-client-dscr-4.1.6-1.x86_64.rpm
Splunk> Take the sh out of IT.
Checking mgmt port : open
Checking configuration... Done.
Checking index directory... Done.
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history,
main, sample, summary
Skipping SELinux check (to enable this check, unset the 'SPLUNK_IGNORE_SELINUX'
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Timed out waiting for splunkd to start. [FAILED]
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
[root]# ps -Af | grep splu
root 23294 23016 0 15:01 pts/0 00:00:00 grep splu