Solved: Why is Splunkd not starting after a reboot, wih Sy...

yannK · ‎04-13-2022

We setup splunkd to autostart using systemd.
-> https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkassystemdservice

but when the linux server reboot, we did no see Splunkd starting, we had to manually start it.

yannK · ‎04-13-2022

TL;DR : you need systemd setup AND splunkd service enabled for it to kick in.

____

1) Check if you have the systemd script setup :
/etc/systemd/system/Splunkd.service

2) check if the Splunkd service is enabled

systemctl status Splunkd

when it's enabled and started, you will see

● Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
   Loaded: loaded (/etc/systemd/system/Splunkd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-04-13 14:46:44 UTC; 4h 46min ago
 Main PID: 982 (splunkd)
   Memory: 1.0G (limit: 1.7G)
   CGroup: /system.slice/Splunkd.service
           ├─ 982 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
           ├─1756 [splunkd pid=982] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]
           ├─2279 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=mmapv1 --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize...
           ├─2408 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
           └─2411 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore

If it's disabled and not started you will see

 Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
   Loaded: loaded (/etc/systemd/system/Splunkd.service; disabled; vendor preset: disabled)

if it's disabled but was manually started you will see

 Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
   Loaded: loaded (/etc/systemd/system/Splunkd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-04-13 14:46:44 UTC; 4h 51min ago
 Main PID: 982 (splunkd)
   CGroup: /system.slice/Splunkd.service
           ├─ 982 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
           ├─1756 [splunkd pid=982] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]
           ├─2279 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=mmapv1 --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize...
           ├─2408 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
           └─2411 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore

if you do not see it enabled, enable it

systemctl enable Splunkd

Then it should autostart when you reboot your server.

View solution in original post

yannK · ‎04-13-2022

TL;DR : you need systemd setup AND splunkd service enabled for it to kick in.

____

1) Check if you have the systemd script setup :
/etc/systemd/system/Splunkd.service

2) check if the Splunkd service is enabled

systemctl status Splunkd

when it's enabled and started, you will see

● Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
   Loaded: loaded (/etc/systemd/system/Splunkd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-04-13 14:46:44 UTC; 4h 46min ago
 Main PID: 982 (splunkd)
   Memory: 1.0G (limit: 1.7G)
   CGroup: /system.slice/Splunkd.service
           ├─ 982 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
           ├─1756 [splunkd pid=982] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]
           ├─2279 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=mmapv1 --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize...
           ├─2408 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
           └─2411 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore

If it's disabled and not started you will see

 Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
   Loaded: loaded (/etc/systemd/system/Splunkd.service; disabled; vendor preset: disabled)

if it's disabled but was manually started you will see

 Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
   Loaded: loaded (/etc/systemd/system/Splunkd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-04-13 14:46:44 UTC; 4h 51min ago
 Main PID: 982 (splunkd)
   CGroup: /system.slice/Splunkd.service
           ├─ 982 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
           ├─1756 [splunkd pid=982] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner]
           ├─2279 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=mmapv1 --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize...
           ├─2408 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
           └─2411 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore

if you do not see it enabled, enable it

systemctl enable Splunkd

Then it should autostart when you reboot your server.

Why is Splunkd not starting after a reboot, wih Systemd enable-boot start?

Linux

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

Why is Splunkd not starting after a reboot, wih Systemd enable-boot start?

Linux

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle