Installation

I tried to install Splunk in my personal laptop, is not running need help to fix it very emergency (High Sierra)

Rocky31
Path Finder

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Creating: /Applications/splunk/var/lib/splunk
Creating: /Applications/splunk/var/run/splunk
Creating: /Applications/splunk/var/run/splunk/appserver/i18n
Creating: /Applications/splunk/var/run/splunk/appserver/modules/static/css
Creating: /Applications/splunk/var/run/splunk/upload
Creating: /Applications/splunk/var/spool/splunk
Creating: /Applications/splunk/var/spool/dirmoncache
Creating: /Applications/splunk/var/lib/splunk/authDb
Creating: /Applications/splunk/var/lib/splunk/hashDb
New certs have been generated in '/Applications/splunk/etc/auth'.
Checking critical directories... Done
Checking indexes...
homePath='/Applications/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue
rockys-MacBook-Pro:bin rocky$ ./splunk status
splunkd is not running.

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

If I recall. (i have seen this before on answers) its because of the new APFS file system on High Sierra.

[Edit: Here is the original answer: https://answers.splunk.com/answers/306998/why-am-i-getting-homepathoptsplunkvarlibsplunkaudi.html ]

Add the following line to $SPLUNK_HOME/etc/splunk-launch.conf

 OPTIMISTIC_ABOUT_FILE_LOCKING = 1
If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

If I recall. (i have seen this before on answers) its because of the new APFS file system on High Sierra.

[Edit: Here is the original answer: https://answers.splunk.com/answers/306998/why-am-i-getting-homepathoptsplunkvarlibsplunkaudi.html ]

Add the following line to $SPLUNK_HOME/etc/splunk-launch.conf

 OPTIMISTIC_ABOUT_FILE_LOCKING = 1
If my comment helps, please give it a thumbs up!

Rocky31
Path Finder

Yeah I fixed it, I did the same. thank you.

0 Karma

lejeuneyardsell
Engager

This fixed the issue for me. I'm running macOS High Sierra version 10.13.3 (17D47)

I did a $ vi /Applications/Splunk/etc/splunk-launch.conf

then inserted the line OPTIMISTIC_ABOUT_FILE_LOCKING = 1

Relaunched Splunk and it worked

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The problem seems to be with the file system where /Applications/splunk/var/lib/splunk/audit/d will reside.

How much free space do you have on that filesystem? Is it an HFS filesystem? Is there anything else odd about that filesystem? Run:

splunkd validatedb

and see if you get any additional information.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...