I am trying to use splunk to pull event logs from computers on the domain and archive them. I installed it on one machine and it runs at startup. The splunkd service never loads, it gets stuck in the "starting" status. I tried restarting the services from the bin directory. In the console that pops up I get Checking index directory... WARNING Index directory '\10.12.21.36\logs\Splunk' does not exist. It then asks to create the index. I say yes and get the following error in the event log:
Exception: , Value:[Error 123] The filename, directory name, or volume lael syntax is incorrect: '\\\\'
I've tried killing the process and restarting it but even though I'm set up as an admin on the machine, I can't kill the process using taskkill. It says Access is denied.
Whether or not you can kill a process running as a service depends on if you're logged in with sufficient privilege to do so. For processes running under the LocalSystem account, even Administrators lack the privs to do so.
If you are going to be polling remote systems using Windows facilities (UNC paths, remote registry, and the like) you will probably want your Splunkd running as a domain account if it is not already.
What Splunk configuration files did you most recently update? It sounds like there might be something somewhere with 5 backslashes in it.
The splunkd service is running as a domain service account. As for the configuration files I don't really know. I wasn't the one who installed it, and I'm not the one who would usually maintain it. How would I go about finding out which files have been updated.
Splunk config files are in the "etc" directory under Splunk's home dir - normal convention is for you to put your versions of them inside of a "local" subdirectory.
The only file that looks to have been modified after the initial install data is the "splunk-launch" file.
WARNING Index directory '\10.12.21.36\logs\Splunk' does not exist. It then asks to create the index. I say yes and get the following error in the event log: It says:
SPLUNK_DB = \10.12.21.36\logs\Splunk
That is not the IP address of the machine running splunk. Should it be?
It sounds like there may be something screwy in one of your indexes.conf files. Please advise via a comment if you have resolved this - and if you've not please revise your question above the output of 'splunk cmd btool indexes list' (make sure to use the 'code' formatting option so your edit is legible)