Installation

Error starting splunk on Mac High Sierra.

carlotavina
Engager

I installed Splunk 7.0. When I click start Splunk, in the terminal I have the following error

Splunk> Another one.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue

When can I find the documentation to fix this error?

Labels (1)
1 Solution

livehybrid
Builder

Hi,
Ive seen this before on my own machine:
You'll want to append the following configuration option to $SPLUNK_HOME/etc/splunk-launch.conf:
OPTIMISTIC_ABOUT_FILE_LOCKING = 1

Then restart Splunk and it should start without any issues. Let me know how it goes!

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

There is information about this in the documentation now: Splunk Enterprise does not start due to unusable file system.

ChrisG
Splunk Employee
Splunk Employee

Update: This is fixed in the Splunk Enterprise 7.1 release. The fix will also appear in a future 7.0.x maintenance release.

0 Karma

livehybrid
Builder

Hi,
Ive seen this before on my own machine:
You'll want to append the following configuration option to $SPLUNK_HOME/etc/splunk-launch.conf:
OPTIMISTIC_ABOUT_FILE_LOCKING = 1

Then restart Splunk and it should start without any issues. Let me know how it goes!

rfdin
Engager

@livehybrid - so Splunk simply shouldn't be installed on Mac 10.13.x? can you point me to a link/URL for more info? tia

0 Karma

jiakalita
Engager

Hi, I am trying to gain some hands-on learning of splunk on my mac (version 10.13.4, installed splunk 7.0.3). But based on related threads it seems to be a risky option for users.
1) is it safe to try setting the OPTIMISTIC_ABOUT_FILE_LOCKING = 1 configuration ?
2) in case data loss occurs on my system due to this, how do I go back to the previous setting ?
I did read in one of the answers that "There is work scheduled to fix the error for macOS 10.13" - any update on this ?

livehybrid
Builder

Its also worth noting that Support for ALL versions of Splunk software on macOS 10.13 High Sierra has been REVOKED as of 23 Feb 2018.

seemamalviya
Engager

Thanks ,adding this line fixed the issue.

0 Karma

carlotavina
Engager

Thanks a lot.

Adding this line fixed the issue

I was able to start Splunk

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Yes. Note that If you are concerned about your data in any way then you should not configure this bypass. This variable basically drops all filesystem lock checks and any data you store might or might not be retrievable.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...