Hi,
I've installed a UF on about 10 Windows machines, some desktops and some servers, and see some strange behaviour. On about 6 of them all is fine but on the other handful of machines I can see the process running in the process manager but it won't respond to any splunk commands like 'splunk status'. Splunk status is accepted and just comes back blank; it returns to the prompt with out returning anything. These guys, then, are also not sending windows event data in to their heavy forwarder.
The servers are W2k8 and the destops W7. On the desktops I see another dos window pop up very briefly on my problematic ones when I enter splunk status or splunk stop or start.
Anyone seen anything like this?
Thanks.
Open your command prompt as an admin account and try again.
I'll just convert it myself 😄
Thanks both of you. This is one of those ones where I don't have access to the boxes so I've asked the customer to try this. I'll advise once they get back to me.
I have experienced this behavior and running the cmd prompt as admin did the trick for me! Thanks, Martin. Hopefully this gets changed to an answer for you.
Suggestion: Check to see if the Splunk Forwarder ports are in use on the machines with the strange behavior. The default ports would be 8089 and 9997.
Thanks for the response. I haven't configured an output.conf yet so it shouldn't be trying to use 9997 I don 't think (left it blank during install). I can see the server phoning home on 8089 so it looks like it's using that happily. I pushed the windows ta to it and don't get any events back and I have this curious thing where it won't report it's status. Apparently it has been 'hardened' so there may be some UAC or other permissioning issues. splunkd.log?