Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- running splunk with docker - ERROR: Couldn't deter...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
I was testing Docker as an easy solution to roam Splunk. I have encounter an issue and need your help.
Here are the steps I took:
- Created a fresh Splunk container using an official article: https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/DeployandrunSplunkEnterpriseinsideDo...
- I have connect to the Splunk app through the web and uploaded a csv to have some data
- I have stopped the container and created an image
- I have moved the image and run it on another host
On the other host I receive the below error messages.
fatal: [localhost]: FAILED! =>
{"changed": false, "cmd":
["/opt/splunk/bin/splunk",
"hash-passwd", "Xpktbe!23"], "delta":
"0:00:00.314896", "end": "2019-03-27
09:56:43.305836", "msg": "non-zero
return code", "rc": 8, "start":
"2019-03-27 09:56:42.990940",
"stderr": "", "stderr_lines": [],
"stdout": "ERROR: Couldn't determine
$SPLUNK_HOME or $SPLUNK_ETC; perhaps
one should be set in environment",
"stdout_lines": ["ERROR: Couldn't
determine $SPLUNK_HOME or $SPLUNK_ETC;
perhaps one should be set in
environment"]}
to retry, use: --limit @/opt/container_artifact/ansible-retry/site.retry
PLAY RECAP
********************************************************************* localhost : ok=18
changed=1 unreachable=0 failed=1ERROR: Couldn't read
"/opt/splunk/etc/splunk-launch.conf"
-- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?
can someone help ?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your SELinux log:
grep "denied" /var/log/audit/audit.log
Enable SELinux perms for your bind mount:
docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' -v /opt/splunk:/opt/splunk:Z splunk/splunk:latest
https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label
"The Z option indicates that the bind mount content is private and unshared."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any idea ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! Usually this comes down to the volume mounts missing or needing to be updated. Can you share your swarm file?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
