You'll want to append the following configuration option to $SPLUNK_HOME/etc/splunk-launch.conf:
OPTIMISTIC_ABOUT_FILE_LOCKING = 1
Note from malmoore (Splunk): As of 28 March 2018, this workaround has been officially documented in the Troubleshooting Manual. See Splunk Enterprise does not start due to unusable filesystem in the manual for the procedure.
The caveats for using this workaround still apply. Proceed with caution, and at your own risk. Irrevocable data loss can still occur. We have already had one report in this thread of problems that have occurred after enabling this setting.
Key points (as of 24 April 2018)
This was spot on for me. Great advice, thanks.
i have the same issue, i don't the line in splunk-launch.conf
is it i need to add the line in .conf file
i fixed it thank you
The comment from Dimitri mentioning Sierra triggered me to try this configuration option. It worked for me on my recently upgraded MacBook.
This is fixed in splunk 6.5.*, the problem was for MACOS Sierra filesystem check.
For older versions you could use the workaround above, or upgrade.
yannK: I had this issue using Splunk 7.0.0 on High Sierra using APFS and have filed a support case requesting APFS support.
After adding OPTIMISTICABOUTFILE_LOCKING = 1 to splunk-launch.conf file it worked for Mac OS High Sierra Version 10.13.1 (17B48). Thank you so much for the suggestion!
Hi where did you added this line OPTIMISTICABOUTFILE_LOCKING = 1
This is my splunk-launch.conf
# Version 7.0.1 # Modify the following line to suit the location of your Splunk install. # If unset, Splunk will use the parent of the directory containing the splunk # CLI executable. # # SPLUNK_HOME=/opt/build/splunk-home # By default, Splunk stores its indexes under SPLUNK_HOME in the # var/lib/splunk subdirectory. This can be overridden # here: # # SPLUNK_DB=/opt/build/splunk-home/var/lib/splunk # Splunkd daemon name SPLUNK_SERVER_NAME=Splunkd # Splunkweb daemon name SPLUNK_WEB_NAME=splunkweb # If SPLUNK_OS_USER is set, then Splunk service will only start # if the 'splunk [re]start [splunkd]' command is invoked by a user who # is, or can effectively become via setuid(2), $SPLUNK_OS_USER. # (This setting can be specified as username or as UID.) # # SPLUNK_OS_USER