Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why the KVstore process is being started as a root?

abhi04
Communicator
‎03-04-2020 09:41 AM

Splunk is not restarting because we are getting the error "kvstore port [8191] - port is already bound". After I check, I observed the process is starting as a root and so while restarting it assumes the port is being taken by another process. I killed the process and was able to start the splunk.

But I wanted to know the reason and the resolution to prevent this from happening in the future. I have checked and verified that the /var/lib/splunk/kvstore/mongo is owned by splunk. But some of the files such as "admin.0" "admin.ns" "config.0" and "config.ns" are owned as root and not splunk. Wanted to know what are those files and if these permissions should also be changed to splunk.
Also, the splunk.key have proper permission.

Labels (1)
Labels
0 Karma
Reply

codebuilder
Influencer
‎03-06-2020 10:47 AM

Stop Splunk completely and verify all processes are down "ps -ef |grep -i splunk" e.g.
If any are still active, kill them off.

Modify the config at /opt/splunk/etc/splunk-launch.conf and ensure that SPLUNK_OS_USER is set to splunk.
SPLUNK_OS_USER=splunk

If you are using systemd, also verify the user is set correctly within the unit file in the [Service] stanza
User=splunk

Start Splunk back up and verify.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

codebuilder
Influencer
‎03-16-2020 03:26 PM

Did this help resolve your issue? If so, please "accept" the answer so that others in the community may benefit.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

nickhills
Ultra Champion
‎03-04-2020 09:46 AM

This can happen if your instance was at some point started by root (perhaps by mistake)
All files in $SPLUNK_HOME should be owned by the user Splunk is running as (splunk)

If you have files inside $SPLUNK_HOME owned by root, you should probably run:
sudo chown -R splunk:splunk /opt/splunk - or the path of $SPLUNK_HOME

If my comment helps, please give it a thumbs up!
0 Karma
Reply

abhi04
Communicator
‎03-06-2020 06:35 AM

Hi @nickhillscpl,

The /opt/splunk is already owned as splunk.

I just wanted to know if there is a permanent fix for this. will the re-installation of splunk resolve this permanently?

0 Karma
Reply

nnimbe1
Path Finder
‎01-10-2022 06:03 AM

Can we delete old dated .ns files from $Splunk Directory$\Splunk\var\lib\splunk\kvstore\mongo folder to increase the SH drive space...whether it will have any impact on SH performance

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...