Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Why does Splunk forwarder fail to keep running...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does Splunk forwarder fail to keep running in Linux environment (variable in server.conf)?
Under /opt/splunkforwarder/etc/system/local/server.conf, we have used the env variable $INSTANCE_ID.
[general]
serverName = $INSTANCE_ID
We then verified that we got the right results by using the command:
./splunk show servername
This then showed the correct id we were looking for. However, when we go to start Splunk using ./splunk start OR ./splunk to restart it will then show it's started.
Right after it shows it's started, I attempt to verify it's running by using ./splunk status. This shows us that the service did not in fact start, and it still shows splunkd is not running.
Why is this?
We verified that if we hard code the result into the servername in server.conf, the service does in fact start.
But, for some reason, by using the env variable something is keeping Splunk from running.
Any help on this would be great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @joshnetwolf
- what are the last lines in the output of ./splunk start?
what does the env variable $INSTANCE_ID contains?
After any environment variables are expanded, the server name
(if not an IPv6 address) can only contain letters, numbers, underscores,
dots, and dashes. The server name must start with a letter, number, or an
underscore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update:
If we disable boot-start I found that we can then start the service with no issues. But if I where to enable boot-start after the splunk service is restarted and then preform a ./splunk restart it will fail to restart and will remain offline until you disable boot-start again and start the service.
Other Details:
Splunk forwarder version: splunkforwarder-7.2.3-06d57c595b80-linux-2.6-x86_64
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ever figure this out @joshnetwolf ? I was just hitting the same issue now trying to implement the same w 7.3.x
Docs for 7.3 vs 8.x are the same so - but havent tested it with 8.x install yet.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
