- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- running splunk with docker - ERROR: Couldn't deter...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
I was testing Docker as an easy solution to roam Splunk. I have encounter an issue and need your help.
Here are the steps I took:
- Created a fresh Splunk container using an official article: https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/DeployandrunSplunkEnterpriseinsideDo...
- I have connect to the Splunk app through the web and uploaded a csv to have some data
- I have stopped the container and created an image
- I have moved the image and run it on another host
On the other host I receive the below error messages.
fatal: [localhost]: FAILED! =>
{"changed": false, "cmd":
["/opt/splunk/bin/splunk",
"hash-passwd", "Xpktbe!23"], "delta":
"0:00:00.314896", "end": "2019-03-27
09:56:43.305836", "msg": "non-zero
return code", "rc": 8, "start":
"2019-03-27 09:56:42.990940",
"stderr": "", "stderr_lines": [],
"stdout": "ERROR: Couldn't determine
$SPLUNK_HOME or $SPLUNK_ETC; perhaps
one should be set in environment",
"stdout_lines": ["ERROR: Couldn't
determine $SPLUNK_HOME or $SPLUNK_ETC;
perhaps one should be set in
environment"]}
to retry, use: --limit @/opt/container_artifact/ansible-retry/site.retry
PLAY RECAP
********************************************************************* localhost : ok=18
changed=1 unreachable=0 failed=1ERROR: Couldn't read
"/opt/splunk/etc/splunk-launch.conf"
-- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?
can someone help ?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your SELinux log:
grep "denied" /var/log/audit/audit.log
Enable SELinux perms for your bind mount:
docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' -v /opt/splunk:/opt/splunk:Z splunk/splunk:latest
https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label
"The Z option indicates that the bind mount content is private and unshared."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any idea ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! Usually this comes down to the volume mounts missing or needing to be updated. Can you share your swarm file?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
