Restarting splunkweb only throws weird errors

LegalPrime · ‎01-12-2021

I have taken over deployed Splunk with Master node, several indexers and search heads. I want to update TLS cert for web splunk we have, so I place them into folder wherethey belong and want to restart splunkweb only.

I run ps aux | grep "splunk" to see what user the splunk services run under - it's splunkadmin.

I navigate to $SPLUNK_HOME/bin and try running both of these:

sudo ./splunk restart splunkweb
# prompts for authentication (which I do with administrator account I confirm that exists in $SPLUNK_HOME/etc/passwd
# gives me simple output: Can't create directory "/root/.splunk": Permission denied

sudo -u splunkadmin ./splunk restart splunkweb
# i authenticate as above and receive:
# Can't create directory "/dev/null/.splunk": Not a directory

Can you think of a different way to restart only splunkweb? And if not, can you help me figure out what is the problem here? Where do I find the logs that tell me more about the error that I get?

Thank you for your time and help.

saravanan90 · ‎01-12-2021

Splunk tries to create an auth token in home directory of a user splunkadmin. Try to set up a home directory for user splunkadmin & run the command.

Restarting splunkweb only throws weird errors

Linux

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Join the Conversation

Restarting splunkweb only throws weird errors

Linux

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives