Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk install on MacOS is not working

PSIPol
New Member
‎08-25-2017 09:33 AM

the command-line script

(clear; '/Applications/Splunk/bin/splunk' ftr
--accept-license || touch "/tmp/splunk_start_failed_6986"); rm "/tmp/splunk_start_running_3397"

aborted w/ this error:

This appears to be your first time running this version of Splunk.
Traceback (most recent call last):
  File "/Applications/Splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 17, in <module>
    import splunk.clilib.cli_common as comm
  File "/Applications/Splunk/lib/python2.7/site-packages/splunk/clilib/cli_common.py", line 10, in <module>
    from xml.sax import saxutils
  File "/Applications/Splunk/lib/python2.7/xml/sax/saxutils.py", line 6, in <module>
    import os, urlparse, urllib, types
  File "/Applications/Splunk/lib/python2.7/urllib.py", line 1440, in <module>
    from _scproxy import _get_proxy_settings, _get_proxies
ImportError: dlopen(/Applications/Splunk/lib/python2.7/lib-dynload/_scproxy.so, 2): Symbol not found: _inflateValidate
  Referenced from: /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
  Expected in: /Applications/Splunk/lib/libz.1.dylib
 in /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
Labels (1)
Labels
0 Karma
Reply

garrettdavidson
Engager
‎09-14-2017 03:02 PM

Are you running the High Sierra beta? I'm on the beta and seeing the same issue.

Update:
Just did some poking around and made some progress. I noticed that the error is coming from /Applications/Splunk/lib/libz.1.dylib. Going there, I discovered that the offending library is an alias to lib.1.2.8.dylib in the same folder. I replaced this alias with an alias to /usr/lib/libz.1.dylib (which is aliased to by /usr/lib/libz.1.2.8.dylib). This got past the original error and ./splunk ftr succeeded. However, now I'm getting the following:

➜  ~ /Applications/Splunk/bin/splunk start

Splunk> The IT Search Engine.

Checking prerequisites...
    Checking http port [8000]: open
    Checking mgmt port [8089]: open
    Checking appserver port [127.0.0.1:8065]: open
    Checking kvstore port [8191]: open
    Checking configuration...  Done.
        Creating: /Applications/Splunk/var/lib/splunk
        Creating: /Applications/Splunk/var/run/splunk
        Creating: /Applications/Splunk/var/run/splunk/appserver/i18n
        Creating: /Applications/Splunk/var/run/splunk/appserver/modules/static/css
        Creating: /Applications/Splunk/var/run/splunk/upload
        Creating: /Applications/Splunk/var/spool/splunk
        Creating: /Applications/Splunk/var/spool/dirmoncache
        Creating: /Applications/Splunk/var/lib/splunk/authDb
        Creating: /Applications/Splunk/var/lib/splunk/hashDb
New certs have been generated in '/Applications/Splunk/etc/auth'.
    Checking critical directories...    Done
    Checking indexes...
homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.
Validating databases (splunkd validatedb) failed with code '1'.  If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue

The important part here is homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.. It appears that Splunk blindly refuses to run on an APFS partitioned disk. ¯\(ツ)

Update Part 2:
I got it working!
Thanks to this answer, I learned that I just needed to add the line OPTIMISTIC_ABOUT_FILE_LOCKING = 1 to my /Applications/Splunk/etc/splunk-launch.conf. Doing this got Splunk to properly launch on my Mac. However, I imagine that filesystem check is there for a reason, so use at your own risk. It seems that it just has to do with file locking, so worst case is probably that you risk a corrupt Splunk database, but I can't say for sure.

Reply

stanlastsplunk
Engager
‎11-10-2017 09:12 AM

Had the same, thanks to your post I was able to solve with changing link

ln -hfs /usr/lib/libz.1.dylib /Applications/Splunk/lib/libz.1.dylib

,Had the same issue after upgrade to High Sierra, solved the same as you with
ln -hfs /usr/lib/libz.1.dylib /Applications/Splunk/lib/libz.1.dylib
and adding OPTIMISTIC_ABOUT_FILE_LOCKING = 1 to config

Reply

sunilsk1
Path Finder
‎07-13-2018 05:39 AM

Thanks a LOT ! . this Solved for me as well ! !
Adding a little detailed step :
1. Navigate to the directory of your splunk installation cd /Applications/Splunk/lib
2. ln -hfs /usr/lib/libz.1.dylib /Applications/Splunk/lib/libz.1.dylib
3. vi /Applications/Splunk/etc/splunk-launch.conf
4. add the line OPTIMISTIC_ABOUT_FILE_LOCKING = 1

0 Karma
Reply

pwinchester_spl
Splunk Employee
Splunk Employee
‎10-02-2018 02:57 AM

Thanks for the step by step instructions, I have used this to get my local Splunk instance working too.

0 Karma
Reply

bamdemichael_sp
Splunk Employee
Splunk Employee
‎05-08-2018 08:39 PM

This Worked for me as well. Thank you very much!

0 Karma
Reply

PSIPol
New Member
‎09-14-2017 03:07 PM

I am! Ohhhh...

0 Karma
Reply

garrettdavidson
Engager
‎09-14-2017 03:48 PM

@PSIPol, I just got it working, though I make no promises that my solution is a good one.

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-13-2017 02:45 PM

Hey @PSIPol, were you able to successfully install Splunk? If not, did you already use this documentation for the install process? http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchTutorial/InstallSplunk

0 Karma
Reply

PSIPol
New Member
‎09-13-2017 03:25 PM

It didn't work, no. 😞

I did try that....

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-13-2017 03:29 PM

Ah! Do you want to join our Slack and see if the general channel or new user channel could help you? I'm just a community moderator, so beyond the docs I don't know how to decipher the error messages. http://splk.it/slack You can follow that link if you want to try there!

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-25-2017 09:42 AM

Did you try just removing it, then downloading and installing again?

0 Karma
Reply

PSIPol
New Member
‎08-25-2017 10:04 AM

I did. Same error:

This appears to be your first time running this version of Splunk.
Traceback (most recent call last):
  File "/Applications/Splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 17, in <module>
    import splunk.clilib.cli_common as comm
  File "/Applications/Splunk/lib/python2.7/site-packages/splunk/clilib/cli_common.py", line 10, in <module>
    from xml.sax import saxutils
  File "/Applications/Splunk/lib/python2.7/xml/sax/saxutils.py", line 6, in <module>
    import os, urlparse, urllib, types
  File "/Applications/Splunk/lib/python2.7/urllib.py", line 1440, in <module>
    from _scproxy import _get_proxy_settings, _get_proxies
ImportError: dlopen(/Applications/Splunk/lib/python2.7/lib-dynload/_scproxy.so, 2): Symbol not found: _inflateValidate
  Referenced from: /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
  Expected in: /Applications/Splunk/lib/libz.1.dylib
 in /System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0 Karma
Reply

PSIPol
New Member
‎08-25-2017 10:28 AM

Also tried the .tgz, same problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...