Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunkforwarder 9.x requires tty enabled in k8s sidecar?

kevinhsu
New Member
‎07-24-2025 06:18 PM

Hello folks,

We are doing splunkforwarder upgrade to 9.4.x (from 8.x) recently, we build the splunk sidecar image for our k8s application and i noticed the same procedures which works previous in fwd version 8.x don't work anymore in 9.4.x.

during the docker image startup, it's clearly to see the process hanging there and wait for interaction.

bash-4.4$ ps -ef
UID          PID    PPID  C STIME TTY          TIME CMD
splunkf+       1       0  0 02:11 ?        00:00:00 /bin/bash /entrypoint.sh
splunkf+      59       1 99 02:11 ?        00:01:25 /opt/splunkforwarder/bin/splunk edit user admin -password XXXXXXXX -role admin -auth admin:xxxxxx --answer-yes --accept-license --no-prompt
splunkf+      61       0  0 02:12 pts/0    00:00:00 /bin/bash
splunkf+      68      61  0 02:12 pts/0    00:00:00 ps -ef

bash-4.4$ rpm -qa | grep splunkforwarder
splunkforwarder-9.4.3-237ebbd22314.x86_64

 

there is a workaround to add a "tty: true" to k8s deployment template but this will cause a lot of efforts in our environment.   Any idea if any newer version has the fix? or any splunk command parameter can be used to bypass the tty requirement?

Thanks.

Labels (2)
Labels
0 Karma
Reply

sramamurthy2
Explorer
‎08-25-2025 05:16 AM

The straight forward answer to your question is "NO". 

Splunk 9.x, particularly the Universal Forwarder, has introduced changes related to security and user
management. This includes the introduction of a new "least privileged" splunkfwd user for managing the forwarder on Linux, and potentially stricter requirements for TTY allocation during startup in certain scenarios. 


When running in a containerized environment like Kubernetes, the lack of a TTY or specific user permissions can lead to the process hanging as it expects an interactive session or fails to perform actions without the necessary privileges.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...