I've been trying to get a system ready to deploy splunk on several hundred machines in a Linux/compute cluster ... we use RPM and YUM for the base OS installation and I'm trying to get 2 RPMs ready:

1. the stock Splunk rpm -- well, slight modification since the stock RPM deploys into /opt which is a shared/network directory for us --> I'm relocating it to /usr/local/splunk

2. our specific pieces -- our license file, passwd file, and some of the ./etc/apps/ settings (search->inputs.conf and outputs.conf; SplunkLightForwarder -> app.conf)

The second rpm seems to have everything it needs, but splunk times-out when I try to start it.

Anyone have any ideas why it would not starting up properly?

Or maybe a better question is how do you handle this on your large clusters?

Even with the deployment server idea, you'd still need to have a second splunk-start process since the stock RPM doesn't fire up splunk, just deploys the files.

Or am I missing something?

[root]# rpm -i RPMS/x86_64/splunk-client-dscr-4.1.6-1.x86_64.rpm 

Splunk> Take the sh out of IT.

Checking prerequisites...
    Checking mgmt port [8089]: open
    Checking configuration...  Done.
    Checking index directory...  Done.
    Checking databases...
    Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, 
main, sample, summary
Skipping SELinux check (to enable this check, unset the 'SPLUNK_IGNORE_SELINUX' 
environment variable).

All preliminary checks passed.

Starting splunk server daemon (splunkd)... 
Timed out waiting for splunkd to start. [FAILED]


Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.

[root]# ps -Af | grep splu
root     23294 23016  0 15:01 pts/0    00:00:00 grep splu

... i.e. no splunk processes are running