Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunkforwarder 9.x requires tty enabled in k8s sidecar?

kevinhsu
New Member
‎07-24-2025 06:18 PM

Hello folks,

We are doing splunkforwarder upgrade to 9.4.x (from 8.x) recently, we build the splunk sidecar image for our k8s application and i noticed the same procedures which works previous in fwd version 8.x don't work anymore in 9.4.x.

during the docker image startup, it's clearly to see the process hanging there and wait for interaction.

bash-4.4$ ps -ef
UID          PID    PPID  C STIME TTY          TIME CMD
splunkf+       1       0  0 02:11 ?        00:00:00 /bin/bash /entrypoint.sh
splunkf+      59       1 99 02:11 ?        00:01:25 /opt/splunkforwarder/bin/splunk edit user admin -password XXXXXXXX -role admin -auth admin:xxxxxx --answer-yes --accept-license --no-prompt
splunkf+      61       0  0 02:12 pts/0    00:00:00 /bin/bash
splunkf+      68      61  0 02:12 pts/0    00:00:00 ps -ef

bash-4.4$ rpm -qa | grep splunkforwarder
splunkforwarder-9.4.3-237ebbd22314.x86_64

 

there is a workaround to add a "tty: true" to k8s deployment template but this will cause a lot of efforts in our environment.   Any idea if any newer version has the fix? or any splunk command parameter can be used to bypass the tty requirement?

Thanks.

Labels (2)
Labels
0 Karma
Reply

sramamurthy2
Explorer
‎08-25-2025 05:16 AM

The straight forward answer to your question is "NO". 

Splunk 9.x, particularly the Universal Forwarder, has introduced changes related to security and user
management. This includes the introduction of a new "least privileged" splunkfwd user for managing the forwarder on Linux, and potentially stricter requirements for TTY allocation during startup in certain scenarios. 


When running in a containerized environment like Kubernetes, the lack of a TTY or specific user permissions can lead to the process hanging as it expects an interactive session or fails to perform actions without the necessary privileges.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...