Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

running splunk with docker - ERROR: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC; perhaps one should be set in environment

sarit_s
Communicator
‎04-09-2019 10:06 AM

hello
I was testing Docker as an easy solution to roam Splunk. I have encounter an issue and need your help.

Here are the steps I took:

  1. Created a fresh Splunk container using an official article: https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/DeployandrunSplunkEnterpriseinsideDo...
  2. I have connect to the Splunk app through the web and uploaded a csv to have some data
  3. I have stopped the container and created an image
  4. I have moved the image and run it on another host

On the other host I receive the below error messages.

fatal: [localhost]: FAILED! =>
{"changed": false, "cmd":
["/opt/splunk/bin/splunk",
"hash-passwd", "Xpktbe!23"], "delta":
"0:00:00.314896", "end": "2019-03-27
09:56:43.305836", "msg": "non-zero
return code", "rc": 8, "start":
"2019-03-27 09:56:42.990940",
"stderr": "", "stderr_lines": [],
"stdout": "ERROR: Couldn't determine
$SPLUNK_HOME or $SPLUNK_ETC; perhaps
one should be set in environment",
"stdout_lines": ["ERROR: Couldn't
determine $SPLUNK_HOME or $SPLUNK_ETC;
perhaps one should be set in
environment"]}
to retry, use: --limit @/opt/container_artifact/ansible-retry/site.retry
PLAY RECAP
********************************************************************* localhost : ok=18

changed=1 unreachable=0 failed=1

ERROR: Couldn't read
"/opt/splunk/etc/splunk-launch.conf"
-- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

can someone help ?
thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frmercier
Engager
‎10-14-2019 05:00 AM

I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎08-23-2021 06:03 AM

Check your SELinux log:

 

grep "denied" /var/log/audit/audit.log

 

 

Enable SELinux perms for your bind mount:

 

docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' -v /opt/splunk:/opt/splunk:Z splunk/splunk:latest

 

 

https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

"The Z option indicates that the bind mount content is private and unshared."

 

0 Karma
Reply
Solved! Jump to solution
Solution

frmercier
Engager
‎10-14-2019 05:00 AM

I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.

0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎04-11-2019 05:34 AM

any idea ?

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-12-2019 10:43 AM

Hi! Usually this comes down to the volume mounts missing or needing to be updated. Can you share your swarm file?

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...