Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunkd issue when launching a new instance using an image from an existing Splunk EC2 instance?

hantaliu
Loves-to-Learn Lots
‎06-07-2023 12:01 PM

Hi

I am trying to launch a new instance from an image created by an existing EC2 instance that hosts Splunk. When I launch the new one, everything looks fine (Splunk was already installed, files remained unchanged, etc). However, I was not able to access Splunk app via <ipv4 address>:<port> (we are using 8443 instead but our inbound rule allows 8000, 8443, 8089...) 

I checked the inbound rules and it is identical to the old one which have all correct ports setup. 

When I run `sudo /opt/splunk/bin/splunk restart` Here is what I got

 

 

 

splunkd 26175 was not running.
Stopping splunk helpers...
                                                           [  OK  ]
Done.
Stopped helpers.
Removing stale pid file... done.
splunkd is not running.                                    [FAILED]

Splunk> The Notorious B.I.G. D.A.T.A.

Checking prerequisites...
        Checking http port [8443]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration... Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket boost_prod_connect history main summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-9.0.3-dd0128b1f8cd-linux-2.6-x86_64-manifest'
File '/opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf' changed.
        Problems were found, please review your files and move customizations to local
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
Done
                                                           [  OK  ]

Waiting for web server at https://127.0.0.1:8443 to be available...................................splunkd 27894 was not running.
Stopping splunk helpers...
                                                           [  OK  ]
Done.
Stopped helpers.
Removing stale pid file... done.


WARNING: web interface does not seem to be available!

 

 

I also checked the splunkd.log and here is a snapshot of the log

 

06-07-2023 18:37:29.610 +0000 INFO  DatabaseDirectoryManager [28341 indexerPipe] - idx=_audit writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/audit/db' pendingBucketUpdates=1 innerLockTime=0.000. Reason='New hot bucket bid=_audit~47~5C52B298-3A3B-4A82-9F95-B9738E1D9BFB bucket_action=add'
06-07-2023 18:37:29.610 +0000 INFO  DatabaseDirectoryManager [28341 indexerPipe] - Finished writing bucket manifest in hotWarmPath=/opt/splunk/var/lib/splunk/audit/db duration=0.000
06-07-2023 18:37:29.619 +0000 INFO  ServerRoles [28341 indexerPipe] - Declared role=indexer.
06-07-2023 18:37:30.122 +0000 WARN  IntrospectionGenerator:resource_usage [28362 ExecProcessor] -   SSLOptions - server.conf/[sslConfig]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security
06-07-2023 18:37:30.126 +0000 WARN  IntrospectionGenerator:resource_usage [28362 ExecProcessor] -   SSLCommon - PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
06-07-2023 18:37:30.188 +0000 INFO  ProcessTracker [27894 MainThread] - (child_0__Fsck)  Fsck - (entire bucket) Rebuild for bucket='/opt/splunk/var/lib/splunk/audit/db/db_1686162521_1686162521_46' took 2703.9 milliseconds
06-07-2023 18:37:30.425 +0000 INFO  TailingProcessor [28425 MainTailingThread] - TailWatcher initializing...
06-07-2023 18:37:30.425 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json.
06-07-2023 18:37:30.426 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk.
06-07-2023 18:37:30.426 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/...stash_hec.
06-07-2023 18:37:30.426 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/...stash_new.
06-07-2023 18:37:30.427 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/tracker.log*.
06-07-2023 18:37:30.427 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/etc/splunk.version.
06-07-2023 18:37:30.427 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/introspection.
06-07-2023 18:37:30.427 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/python_upgrade_readiness_app.
06-07-2023 18:37:30.427 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk.
06-07-2023 18:37:30.427 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/configuration_change.log.
06-07-2023 18:37:30.427 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log.
06-07-2023 18:37:30.427 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*.
06-07-2023 18:37:30.428 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*.
06-07-2023 18:37:30.428 +0000 INFO  TailReader [28425 MainTailingThread] - State transitioning from 1 to 0 (initOrResume).
06-07-2023 18:37:30.428 +0000 INFO  TailReader [28425 MainTailingThread] - State transitioning from 1 to 0 (initOrResume).
06-07-2023 18:37:30.428 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Adding watch on path: /opt/splunk/etc/splunk.version.
06-07-2023 18:37:30.428 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Adding watch on path: /opt/splunk/var/log/introspection.
06-07-2023 18:37:30.428 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Adding watch on path: /opt/splunk/var/log/python_upgrade_readiness_app.
06-07-2023 18:37:30.428 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Adding watch on path: /opt/splunk/var/log/splunk.
06-07-2023 18:37:30.428 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Adding watch on path: /opt/splunk/var/log/watchdog.
06-07-2023 18:37:30.428 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Adding watch on path: /opt/splunk/var/run/splunk/search_telemetry.
06-07-2023 18:37:30.428 +0000 INFO  TailingProcessor [28425 MainTailingThread] - Adding watch on path: /opt/splunk/var/spool/splunk.
06-07-2023 18:37:30.450 +0000 INFO  TailReader [28443 tailreader0] - Registering metrics callback for: tailreader0
06-07-2023 18:37:30.450 +0000 INFO  TailReader [28443 tailreader0] - Starting tailreader0 thread
06-07-2023 18:37:30.462 +0000 INFO  TailReader [28444 batchreader0] - Registering metrics callback for: batchreader0
06-07-2023 18:37:30.462 +0000 INFO  TailReader [28444 batchreader0] - Starting batchreader0 thread
06-07-2023 18:37:30.467 +0000 INFO  ConfigWatcher [27902 HTTPDispatch] - Loaded configtracker settings with disabled=0 mode=auto log_throttling_disabled=1 log_throttling_threshold_ms=10.000 denylist= exclude_fields=
06-07-2023 18:37:30.529 +0000 WARN  IntrospectionGenerator:resource_usage [28362 ExecProcessor] -   SSLOptions - server.conf/[kvstore]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security
06-07-2023 18:37:30.643 +0000 INFO  IntrospectionGenerator:resource_usage [28362 ExecProcessor] -   RU_main - I-data gathering (Resource Usage) starting; period=10s
06-07-2023 18:37:30.733 +0000 INFO  IntrospectionGenerator:resource_usage [28362 ExecProcessor] -   RU_main - I-data gathering (IO Statistics) starting; interval=60s
06-07-2023 18:37:30.733 +0000 INFO  IntrospectionGenerator:resource_usage [28362 ExecProcessor] -   RU_main - Starting I-data gathering (IOWait Statistics). Interval_secs=10
06-07-2023 18:37:31.065 +0000 INFO  ConfigWatcher [28445 SplunkConfigChangeWatcherThread] - SplunkConfigChangeWatcher initializing...
06-07-2023 18:37:31.065 +0000 INFO  ConfigWatcher [28445 SplunkConfigChangeWatcherThread] - Kernel File Notification is enabled on this instance. inotify will be used for configuration tracking.
06-07-2023 18:37:31.067 +0000 INFO  ConfigWatcher [28445 SplunkConfigChangeWatcherThread] - Watching path: /opt/splunk/etc/system/local, /opt/splunk/etc/system/default, /opt/splunk/etc/apps, /opt/splunk/etc/users, /opt/splunk/etc/peer-apps, /opt/splunk/etc/instance.cfg
06-07-2023 18:37:31.195 +0000 INFO  ConfigWatcher [28445 SplunkConfigChangeWatcherThread] - Finding the deleted watched configuration files (while splunkd was down) completed in duration=0.127 secs
06-07-2023 18:37:31.362 +0000 INFO  IndexerIf [28341 indexerPipe] - Asked to add or update bucket manifest values, bid=_audit~46~5C52B298-3A3B-4A82-9F95-B9738E1D9BFB
06-07-2023 18:37:31.438 +0000 INFO  loader [27902 HTTPDispatch] - Limiting REST HTTP server to 21845 sockets
06-07-2023 18:37:31.438 +0000 INFO  loader [27902 HTTPDispatch] - Limiting REST HTTP server to 161 threads
06-07-2023 18:37:31.438 +0000 WARN  X509Verify [27902 HTTPDispatch] - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates>
06-07-2023 18:37:32.194 +0000 INFO  UiHttpListener [28468 WebuiStartup] - Server supporting SSL versions TLS1.2
06-07-2023 18:37:32.194 +0000 INFO  UiHttpListener [28468 WebuiStartup] - Using cipher suite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
06-07-2023 18:37:32.194 +0000 INFO  UiHttpListener [28468 WebuiStartup] - Using ECDH curves : prime256v1, secp384r1, secp521r1
06-07-2023 18:37:32.197 +0000 WARN  X509Verify [28468 WebuiStartup] - X509 certificate (O=SplunkUser,CN=ip-172-31-46-102.us-west-2.compute.internal) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates>
06-07-2023 18:37:32.197 +0000 INFO  UiHttpListener [28468 WebuiStartup] - Limiting UI HTTP server to 21845 sockets
06-07-2023 18:37:32.197 +0000 INFO  UiHttpListener [28468 WebuiStartup] - Limiting UI HTTP server to 161 threads
06-07-2023 18:37:32.251 +0000 INFO  DatabaseDirectoryManager [28321 IndexerService] - idx=_audit writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/audit/db' pendingBucketUpdates=1 innerLockTime=0.000. Reason='IndexerService periodic manifest update'
06-07-2023 18:37:32.252 +0000 INFO  DatabaseDirectoryManager [28321 IndexerService] - Finished writing bucket manifest in hotWarmPath=/opt/splunk/var/lib/splunk/audit/db duration=0.001
06-07-2023 18:37:32.309 +0000 INFO  ProxyConfig [28468 WebuiStartup] - Failed to initialize http_proxy from server.conf for splunkd. Please make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled.
06-07-2023 18:37:32.310 +0000 INFO  ProxyConfig [28468 WebuiStartup] - Failed to initialize https_proxy from server.conf for splunkd. Please make sure that the https_proxy property is set as https_proxy=http://host:port in case HTTP proxying needs to be enabled.
06-07-2023 18:37:32.310 +0000 INFO  ProxyConfig [28468 WebuiStartup] - Failed to initialize the proxy_rules setting from server.conf for splunkd. Please provide a valid set of proxy_rules in case HTTP proxying needs to be enabled.
06-07-2023 18:37:32.310 +0000 INFO  ProxyConfig [28468 WebuiStartup] - Failed to initialize the no_proxy setting from server.conf for splunkd. Please provide a valid set of no_proxy rules in case HTTP proxying needs to be enabled.
06-07-2023 18:37:32.314 +0000 WARN  SSLOptions [28468 WebuiStartup] - <internal>.conf/[<internal>]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security
06-07-2023 18:37:32.414 +0000 WARN  SSLOptions [28468 WebuiStartup] - <internal>.conf/[<internal>]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security
06-07-2023 18:37:32.837 +0000 WARN  SSLOptions [28394 SchedulerThread] - server.conf/[search_state]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security
06-07-2023 18:37:32.999 +0000 WARN  ProcessTracker [27894 MainThread] - (child_1__Fsck)  SSLOptions - server.conf/[sslConfig]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security
06-07-2023 18:37:34.574 +0000 INFO  ExecProcessor [28362 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" splunk-dashboard-studio version is 1.7.3
06-07-2023 18:37:34.575 +0000 INFO  ExecProcessor [28362 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" Content of /opt/splunk/etc/apps/splunk-dashboard-studio/kvstore_icon_status.conf is {'default': {'uploadedVersion': '1.7.3'}}
06-07-2023 18:37:34.575 +0000 INFO  ExecProcessor [28362 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" Icons of splunk-dashboard-studio version 1.7.3 are already stored in kvstore collection. Skipping now and exiting.

 

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-07-2023 11:21 PM

@hantaliu - It seems that Splunk Web was not able to start, which happens sometimes.

Run below command:

/opt/splunk/bin/splunk start

(see if you are able to start splunk web.)

Do not restart, as restart will also affect Splunkd, which I can in your case is running fine. It is just the Splunk web has issue.

 

I hope this helps!!! Kindly upvote if it does!!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...