Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

running splunk with docker - ERROR: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC; perhaps one should be set in environment

sarit_s
Communicator
‎04-09-2019 10:06 AM

hello
I was testing Docker as an easy solution to roam Splunk. I have encounter an issue and need your help.

Here are the steps I took:

  1. Created a fresh Splunk container using an official article: https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/DeployandrunSplunkEnterpriseinsideDo...
  2. I have connect to the Splunk app through the web and uploaded a csv to have some data
  3. I have stopped the container and created an image
  4. I have moved the image and run it on another host

On the other host I receive the below error messages.

fatal: [localhost]: FAILED! =>
{"changed": false, "cmd":
["/opt/splunk/bin/splunk",
"hash-passwd", "Xpktbe!23"], "delta":
"0:00:00.314896", "end": "2019-03-27
09:56:43.305836", "msg": "non-zero
return code", "rc": 8, "start":
"2019-03-27 09:56:42.990940",
"stderr": "", "stderr_lines": [],
"stdout": "ERROR: Couldn't determine
$SPLUNK_HOME or $SPLUNK_ETC; perhaps
one should be set in environment",
"stdout_lines": ["ERROR: Couldn't
determine $SPLUNK_HOME or $SPLUNK_ETC;
perhaps one should be set in
environment"]}
to retry, use: --limit @/opt/container_artifact/ansible-retry/site.retry
PLAY RECAP
********************************************************************* localhost : ok=18

changed=1 unreachable=0 failed=1

ERROR: Couldn't read
"/opt/splunk/etc/splunk-launch.conf"
-- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

can someone help ?
thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frmercier
Engager
‎10-14-2019 05:00 AM

I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎08-23-2021 06:03 AM

Check your SELinux log:

 

grep "denied" /var/log/audit/audit.log

 

 

Enable SELinux perms for your bind mount:

 

docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' -v /opt/splunk:/opt/splunk:Z splunk/splunk:latest

 

 

https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

"The Z option indicates that the bind mount content is private and unshared."

 

0 Karma
Reply
Solved! Jump to solution
Solution

frmercier
Engager
‎10-14-2019 05:00 AM

I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.

0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎04-11-2019 05:34 AM

any idea ?

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-12-2019 10:43 AM

Hi! Usually this comes down to the volume mounts missing or needing to be updated. Can you share your swarm file?

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...