Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk install on MacOS is not working

PSIPol
New Member
‎08-25-2017 09:33 AM

the command-line script

(clear; '/Applications/Splunk/bin/splunk' ftr
--accept-license || touch "/tmp/splunk_start_failed_6986"); rm "/tmp/splunk_start_running_3397"

aborted w/ this error:

This appears to be your first time running this version of Splunk.
Traceback (most recent call last):
  File "/Applications/Splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 17, in <module>
    import splunk.clilib.cli_common as comm
  File "/Applications/Splunk/lib/python2.7/site-packages/splunk/clilib/cli_common.py", line 10, in <module>
    from xml.sax import saxutils
  File "/Applications/Splunk/lib/python2.7/xml/sax/saxutils.py", line 6, in <module>
    import os, urlparse, urllib, types
  File "/Applications/Splunk/lib/python2.7/urllib.py", line 1440, in <module>
    from _scproxy import _get_proxy_settings, _get_proxies
ImportError: dlopen(/Applications/Splunk/lib/python2.7/lib-dynload/_scproxy.so, 2): Symbol not found: _inflateValidate
  Referenced from: /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
  Expected in: /Applications/Splunk/lib/libz.1.dylib
 in /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
Labels (1)
Labels
0 Karma
Reply

garrettdavidson
Engager
‎09-14-2017 03:02 PM

Are you running the High Sierra beta? I'm on the beta and seeing the same issue.

Update:
Just did some poking around and made some progress. I noticed that the error is coming from /Applications/Splunk/lib/libz.1.dylib. Going there, I discovered that the offending library is an alias to lib.1.2.8.dylib in the same folder. I replaced this alias with an alias to /usr/lib/libz.1.dylib (which is aliased to by /usr/lib/libz.1.2.8.dylib). This got past the original error and ./splunk ftr succeeded. However, now I'm getting the following:

➜  ~ /Applications/Splunk/bin/splunk start

Splunk> The IT Search Engine.

Checking prerequisites...
    Checking http port [8000]: open
    Checking mgmt port [8089]: open
    Checking appserver port [127.0.0.1:8065]: open
    Checking kvstore port [8191]: open
    Checking configuration...  Done.
        Creating: /Applications/Splunk/var/lib/splunk
        Creating: /Applications/Splunk/var/run/splunk
        Creating: /Applications/Splunk/var/run/splunk/appserver/i18n
        Creating: /Applications/Splunk/var/run/splunk/appserver/modules/static/css
        Creating: /Applications/Splunk/var/run/splunk/upload
        Creating: /Applications/Splunk/var/spool/splunk
        Creating: /Applications/Splunk/var/spool/dirmoncache
        Creating: /Applications/Splunk/var/lib/splunk/authDb
        Creating: /Applications/Splunk/var/lib/splunk/hashDb
New certs have been generated in '/Applications/Splunk/etc/auth'.
    Checking critical directories...    Done
    Checking indexes...
homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.
Validating databases (splunkd validatedb) failed with code '1'.  If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue

The important part here is homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.. It appears that Splunk blindly refuses to run on an APFS partitioned disk. ¯\(ツ)

Update Part 2:
I got it working!
Thanks to this answer, I learned that I just needed to add the line OPTIMISTIC_ABOUT_FILE_LOCKING = 1 to my /Applications/Splunk/etc/splunk-launch.conf. Doing this got Splunk to properly launch on my Mac. However, I imagine that filesystem check is there for a reason, so use at your own risk. It seems that it just has to do with file locking, so worst case is probably that you risk a corrupt Splunk database, but I can't say for sure.

Reply

stanlastsplunk
Engager
‎11-10-2017 09:12 AM

Had the same, thanks to your post I was able to solve with changing link

ln -hfs /usr/lib/libz.1.dylib /Applications/Splunk/lib/libz.1.dylib

,Had the same issue after upgrade to High Sierra, solved the same as you with
ln -hfs /usr/lib/libz.1.dylib /Applications/Splunk/lib/libz.1.dylib
and adding OPTIMISTIC_ABOUT_FILE_LOCKING = 1 to config

Reply

sunilsk1
Path Finder
‎07-13-2018 05:39 AM

Thanks a LOT ! . this Solved for me as well ! !
Adding a little detailed step :
1. Navigate to the directory of your splunk installation cd /Applications/Splunk/lib
2. ln -hfs /usr/lib/libz.1.dylib /Applications/Splunk/lib/libz.1.dylib
3. vi /Applications/Splunk/etc/splunk-launch.conf
4. add the line OPTIMISTIC_ABOUT_FILE_LOCKING = 1

0 Karma
Reply

pwinchester_spl
Splunk Employee
Splunk Employee
‎10-02-2018 02:57 AM

Thanks for the step by step instructions, I have used this to get my local Splunk instance working too.

0 Karma
Reply

bamdemichael_sp
Splunk Employee
Splunk Employee
‎05-08-2018 08:39 PM

This Worked for me as well. Thank you very much!

0 Karma
Reply

PSIPol
New Member
‎09-14-2017 03:07 PM

I am! Ohhhh...

0 Karma
Reply

garrettdavidson
Engager
‎09-14-2017 03:48 PM

@PSIPol, I just got it working, though I make no promises that my solution is a good one.

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-13-2017 02:45 PM

Hey @PSIPol, were you able to successfully install Splunk? If not, did you already use this documentation for the install process? http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchTutorial/InstallSplunk

0 Karma
Reply

PSIPol
New Member
‎09-13-2017 03:25 PM

It didn't work, no. 😞

I did try that....

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-13-2017 03:29 PM

Ah! Do you want to join our Slack and see if the general channel or new user channel could help you? I'm just a community moderator, so beyond the docs I don't know how to decipher the error messages. http://splk.it/slack You can follow that link if you want to try there!

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-25-2017 09:42 AM

Did you try just removing it, then downloading and installing again?

0 Karma
Reply

PSIPol
New Member
‎08-25-2017 10:04 AM

I did. Same error:

This appears to be your first time running this version of Splunk.
Traceback (most recent call last):
  File "/Applications/Splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 17, in <module>
    import splunk.clilib.cli_common as comm
  File "/Applications/Splunk/lib/python2.7/site-packages/splunk/clilib/cli_common.py", line 10, in <module>
    from xml.sax import saxutils
  File "/Applications/Splunk/lib/python2.7/xml/sax/saxutils.py", line 6, in <module>
    import os, urlparse, urllib, types
  File "/Applications/Splunk/lib/python2.7/urllib.py", line 1440, in <module>
    from _scproxy import _get_proxy_settings, _get_proxies
ImportError: dlopen(/Applications/Splunk/lib/python2.7/lib-dynload/_scproxy.so, 2): Symbol not found: _inflateValidate
  Referenced from: /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
  Expected in: /Applications/Splunk/lib/libz.1.dylib
 in /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0 Karma
Reply

PSIPol
New Member
‎08-25-2017 10:28 AM

Also tried the .tgz, same problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...