Solved: "ImportError: ... Symbol not found: _inflateValida...

kcepull2 · ‎10-23-2017

When starting Splunk 6.6.3 after upgrading to High Sierra, I was seeing the following errors:

Checking prerequisites...
    Checking http port [8000]: open
    Checking mgmt port [8089]: open
    Checking appserver port [127.0.0.1:8065]: open
    Checking kvstore port [8191]: open
Traceback (most recent call last):
  File "/Applications/splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 17, in <module>
    import splunk.clilib.cli_common as comm
  File "/Applications/splunk/lib/python2.7/site-packages/splunk/clilib/cli_common.py", line 10, in <module>
    from xml.sax import saxutils
  File "/Applications/splunk/lib/python2.7/xml/sax/saxutils.py", line 6, in <module>
    import os, urlparse, urllib, types
  File "/Applications/splunk/lib/python2.7/urllib.py", line 1440, in <module>
    from _scproxy import _get_proxy_settings, _get_proxies
ImportError: dlopen(/Applications/splunk/lib/python2.7/lib-dynload/_scproxy.so, 2): Symbol not found: _inflateValidate
  Referenced from: /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
  Expected in: /Applications/splunk/lib/libz.1.dylib
 in /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib

[This was after adding "OPTIMISTIC_ABOUT_FILE_LOCKING = 1" to the splunk-launch.conf to allow it to start on APFS.]

After some research, the 'fix' that seems to work was to copy over the (updated?) libz.1.dylib from /usr/lib as follows:

sudo rm /opt/splunk/lib/libz.1.dylib
sudo cp /usr/lib/libz.1.dylib /opt/splunk/lib/libz.1.dylib

This seems to allow Splunk to start now.

Note: This doesn't appear to be a problem with Splunk 7.0, just 6.6.x.

kcepull2 · ‎10-23-2017

After some research, the 'fix' that seems to work was to copy over the (updated?) libz.1.dylib from /usr/lib as follows:

 sudo rm /opt/splunk/lib/libz.1.dylib
 sudo cp /usr/lib/libz.1.dylib /opt/splunk/lib/libz.1.dylib

This seems to allow Splunk to start now.

Note: This doesn't appear to be a problem with Splunk 7.0, just 6.6.x.

Special Note: We have revoked support for all versions of Splunk software on macOS 10.13 High Sierra as of 23 Feb 2018. We might reinstate support at a later time, but there is no timeline for that reinstatement, or the work required to satisfy conditions for reinstatement.

View solution in original post

kcepull2 · ‎10-23-2017

After some research, the 'fix' that seems to work was to copy over the (updated?) libz.1.dylib from /usr/lib as follows:

 sudo rm /opt/splunk/lib/libz.1.dylib
 sudo cp /usr/lib/libz.1.dylib /opt/splunk/lib/libz.1.dylib

This seems to allow Splunk to start now.

Note: This doesn't appear to be a problem with Splunk 7.0, just 6.6.x.

Special Note: We have revoked support for all versions of Splunk software on macOS 10.13 High Sierra as of 23 Feb 2018. We might reinstate support at a later time, but there is no timeline for that reinstatement, or the work required to satisfy conditions for reinstatement.

kcepull2 · ‎03-28-2018

Please note that the "Special Note" paragraph in the above text was NOT put there by me, but (I assume) by someone from Splunk.

ChrisG · ‎04-24-2018

Update: This is fixed in the Splunk Enterprise 7.1 release. The fix will also appear in a future 7.0.x maintenance release.

ChrisG · ‎03-28-2018

Some coverage in the documentation now: Splunk Enterprise does not start due to unusable file system.

triest · ‎08-07-2019

While the above link is helpful as it is another issue experienced on OS X, it isn't related to the issue above. Even though this is a fairly old post, I can confirm the issue with Splunk 6.x on Mojave

"ImportError: ... Symbol not found: _inflateValidate" when starting Splunk 6.x on MacOS High Sierra (10.13)

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Enterprise Security Content Update (ESCU) | New Releases