Installation

splunkd was not running. Waiting for web server

SOCat
Engager

Hello,

I've tried figuring this out on my own but I couldn't find any related threads which would fixed my problems.

I'm trying to install Splunk enterprise on my Ubuntu 20.04.5 LTS Server as root.

I've tried both .deb and .tar versions by following the docs . I've also tried following the new installation manual video.

 

After starting splunk with ./splunk start  and accepting the license I was prompted to rename the default account, i continued with enter to use the default admin name. Then I changed the default password and waited for the RSA key gen and preliminary checks.


After that I am prompted with:

  

Starting splunk server daemon (splunkd)...
PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
Done

Waiting for web server at http://127.0.0.1:8000 to be available........splunkd 4932 was not running.

Stopping splunk helpers...

Done.

Stopped helpers.

Removing stale pid file... done.

WARNING: web interface does not seem to be available!

 

I've also checked the logs but could't figure out the problem on my own:

 

Last entries of cat /opt/splunk/var/log/splunk/splunkd.log 

09-21-2022 19:55:57.924 +0200 INFO  PipelineComponent [4932 MainThread] - Pipeline vix disabled in default-mode.conf file
09-21-2022 19:55:57.932 +0200 WARN  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -   SSLOptions - server.conf/[sslConfig]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security
09-21-2022 19:55:57.942 +0200 WARN  Thread [4932 MainThread] - MainThread: about to throw a ThreadException: pthread_create: Resource temporarily unavailable; 55 threads active. Trying to create QueueServiceThread
09-21-2022 19:55:57.944 +0200 WARN  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -   SSLCommon - PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
09-21-2022 19:55:57.945 +0200 ERROR ExecProcessor [5097 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" /bin/sh: 1: Cannot fork
09-21-2022 19:55:57.945 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/selfupdate_modular_input.py": Resource temporarily unavailable
09-21-2022 19:55:57.948 +0200 WARN  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -   SSLOptions - server.conf/[kvstore]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security
09-21-2022 19:55:57.949 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/supervisor_modular_input.py": Resource temporarily unavailable
09-21-2022 19:55:57.952 +0200 WARN  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -   Thread - MainThread: about to throw a ThreadException: pthread_create: Resource temporarily unavailable; 2 threads active. Trying to create KVStoreServerStatusInstrumentThread
09-21-2022 19:55:57.953 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py": Resource temporarily unavailable
09-21-2022 19:55:57.954 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_instrumentation/bin/on_splunk_start.py": Resource temporarily unavailable
09-21-2022 19:55:57.954 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_monitoring_console/bin/dmc_config.py": Resource temporarily unavailable
09-21-2022 19:55:57.954 +0200 INFO  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -  terminate called after throwing an instance of '15ThreadException'
09-21-2022 19:55:57.955 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_monitoring_console/bin/mc_auto_config.py": Resource temporarily unavailable
09-21-2022 19:55:57.956 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py": Resource temporarily unavailable
09-21-2022 19:55:57.956 +0200 INFO  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -    what():  MainThread: about to throw a ThreadException: pthread_create: Resource temporarily unavailable; 2 threads active. Trying to create KVStoreServerStatusInstrumentThread

 

ulimit -n -u

open files                      (-n) 1024
max user processes              (-u) 62987

 

Does anyone know what I am doing wrong?

 

Please help me I have no spluck>

: (

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

based on log, you are running out of resources. Maybe this explain it

Information on expected default shell and caveats for Debian shells

On later versions of Debian Linux (for example, Debian Squeeze), the default non-interactive shell is the dash shell. Splunk Enterprise expects to run commands using the bash shell, and bash to be available from /bin/sh. Using the dash shell can result in zombie processes - processes that have completed execution, yet remain in the process table and cannot be killed or removed. If you run Debian Linux, consider changing your default shell to be bash.

Also open files should be much higher like 64k. https://community.splunk.com/t5/Splunk-Search/Changing-the-Ulimits-for-openfiles/m-p/318521
r. Ismo

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

based on log, you are running out of resources. Maybe this explain it

Information on expected default shell and caveats for Debian shells

On later versions of Debian Linux (for example, Debian Squeeze), the default non-interactive shell is the dash shell. Splunk Enterprise expects to run commands using the bash shell, and bash to be available from /bin/sh. Using the dash shell can result in zombie processes - processes that have completed execution, yet remain in the process table and cannot be killed or removed. If you run Debian Linux, consider changing your default shell to be bash.

Also open files should be much higher like 64k. https://community.splunk.com/t5/Splunk-Search/Changing-the-Ulimits-for-openfiles/m-p/318521
r. Ismo

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...