Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

running splunk with docker - ERROR: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC; perhaps one should be set in environment

sarit_s
Communicator
‎04-09-2019 10:06 AM

hello
I was testing Docker as an easy solution to roam Splunk. I have encounter an issue and need your help.

Here are the steps I took:

  1. Created a fresh Splunk container using an official article: https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/DeployandrunSplunkEnterpriseinsideDo...
  2. I have connect to the Splunk app through the web and uploaded a csv to have some data
  3. I have stopped the container and created an image
  4. I have moved the image and run it on another host

On the other host I receive the below error messages.

fatal: [localhost]: FAILED! =>
{"changed": false, "cmd":
["/opt/splunk/bin/splunk",
"hash-passwd", "Xpktbe!23"], "delta":
"0:00:00.314896", "end": "2019-03-27
09:56:43.305836", "msg": "non-zero
return code", "rc": 8, "start":
"2019-03-27 09:56:42.990940",
"stderr": "", "stderr_lines": [],
"stdout": "ERROR: Couldn't determine
$SPLUNK_HOME or $SPLUNK_ETC; perhaps
one should be set in environment",
"stdout_lines": ["ERROR: Couldn't
determine $SPLUNK_HOME or $SPLUNK_ETC;
perhaps one should be set in
environment"]}
to retry, use: --limit @/opt/container_artifact/ansible-retry/site.retry
PLAY RECAP
********************************************************************* localhost : ok=18

changed=1 unreachable=0 failed=1

ERROR: Couldn't read
"/opt/splunk/etc/splunk-launch.conf"
-- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?

can someone help ?
thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frmercier
Engager
‎10-14-2019 05:00 AM

I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎08-23-2021 06:03 AM

Check your SELinux log:

 

grep "denied" /var/log/audit/audit.log

 

 

Enable SELinux perms for your bind mount:

 

docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' -v /opt/splunk:/opt/splunk:Z splunk/splunk:latest

 

 

https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

"The Z option indicates that the bind mount content is private and unshared."

 

0 Karma
Reply
Solved! Jump to solution
Solution

frmercier
Engager
‎10-14-2019 05:00 AM

I had the same error due to SELinux enabled. Disabling it (/etc/selinux/config SELINUX=disabled) solve my problem.

0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎04-11-2019 05:34 AM

any idea ?

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-12-2019 10:43 AM

Hi! Usually this comes down to the volume mounts missing or needing to be updated. Can you share your swarm file?

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...