Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Forwarder -7.1.7 - Failed to Start - Error "Failed to read PID from file Invalid Argument"

nandhak21
New Member
‎08-08-2019 05:38 AM

Hi,

I was working on a puppet module to update existing splunkforwarder from 6.1.* to 7.1.7. Installation went smooth but now the forwarder is failing to start with below error message.

systemd[1]: Failed to read PID from file /**/splunk/splunkd.pid: Invalid argument

Centos is the target machine.

splunk.service file

[Unit]
Description=Splunk Enterprise 7.1.7
After=network.target
Wants=network.target

[Service]
Type=forking
RemainAfterExit=False
User=root
Group=root
LimitNOFILE=65536
ExecStart=/**/splunk start --accept-license --answer-yes --no-prompt
ExecStop=/**/splunkstop
PIDFile=/**/splunkforwarder/var/run/splunk/splunkd.pid
Restart=always

[Install]
WantedBy=multi-user.target
# If you want to use $(systemctl [start|stop|restart] splunk) instead of splunkd ...
Alias=gsosplunk.service

And the puppet script involves below procedure.

  1. Removing files in existing custom installation path of splunkforwarder.
  2. Extracting the 7.1.7 tar ball package to the custom path.
  3. Copying required certs for server connectivity.
  4. Accepting licence and updating the permissions to be accessible by splunk "chown -R splunk:splunk" (This might not be required at all. Since the splunk will be started as root user. But I just thought of having it ).
  5. Moving deploymentclient and web.conf files to the custom path.

For starting the splunk agent.

I just ensured that splunk.service is having necessary permissions
Reload the systemctl daemon and ensure that it is running via puppet code.

I came across couple of posts where the files are not having enough permission. But in my case, since the splunk is started with root privileges I dont see anything like that.

And on few occasions, I was able to successfully start the process (by removing PID file when the process is running) but i dont think its the proper way to start it.

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-08-2019 06:37 AM

I have seen PID issues when Splunk Enterprise or Splunk Forwarders have been started as root, but are now being started as another user. The PID file is owned by root and won't let the other user start it. Check your permissions on the PID file and verify the user you are starting Splunk as.

It is also best practice to run the forwarders as a non-root user.

0 Karma
Reply

nandhak21
New Member
‎08-08-2019 10:41 PM

Thanks for your reply. I checked the permissions on PID file. 

-rw-------. 1 root   root       6 Aug  9 05:37 conf-mutator.pid
-rw-r-----. 1 root   root      12 Aug  9 05:37 splunkd.pid

Looks like it is accessible only root. Also script to start the splunk is executed with root privileges.

I have a doubt whether the previous version of splunk is not removed cleanly. Will check how to remove it properly.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎08-19-2019 06:20 AM

For reference: Run Splunk Enterprise as a different or non-root user. Applies to forwarders as well.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎08-19-2019 06:22 AM

Also, it sounds like you are removing the old installation and not uninstalling it properly.

Even better would be to upgrade the forwarder in place and not uninstall first.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...