Monitoring Splunk

Splunk server unable to start after upgrade to 6.2.2

hanshen
Explorer

We have splunk dev server upgrade to 6.2.2., using splunk account to start and failed, message below:

[servername:/opt/splunk/bin]$ splunk start

Splunk> The IT Search Engine.

Checking prerequisites...
Checking http port [443]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
execve: Permission denied
while running command /usr/bin/startsrc
Splunk boot-start is enabled. please use /usr/bin/startsrc -s splunkd to start splunk

[servername:/opt/splunk/bin]$

root can start it use /usr/bin/startsrc -s splunkd to start splunk, however we would like to use splunk account to start/stop server.

What permission should splunk account have to start/stop splunk server on AIX?

Tags (1)
0 Karma

hanshen
Explorer

This is a bug in 6.2.2 in AIX per Splunk support. Defect SPL-96141, will be fixed for 6.2.3.

0 Karma

hanshen
Explorer

Is it new in 6.2.2? our prod is using 443 which is 5.x without this issue.

0 Karma

harsmarvania57
Ultra Champion
0 Karma

hanshen
Explorer

Checked there is not the line below in the /etc/inittab file:
$SPLUNK_HOME/bin/splunk enable boot-start

The starting message show: Splunk boot-start is enabled.
So where to setup Splunk boot-start is enabled besides /etc/inittab file?

0 Karma

hanshen
Explorer

We have root run
/opt/splunk/bin/splunk enable boot-start -user splunk
0513-071 The splunkd Subsystem has been added.
0513-071 The splunkweb Subsystem has been added.
SRC subsystem group installed.
SRC subsystem group is configured to run at boot.

But still unluck to run as splunk user:

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking http port [443]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
execve: Permission denied
while running command /usr/bin/startsrc
Splunk boot-start is enabled. please use /usr/bin/startsrc -s splunkd to start splunk

0 Karma

harsmarvania57
Ultra Champion

You have given webport as 443 and < 1024 port will be bind by root user only. If you want to start splunk as splunk user then use > 1024 port for splunk web.

0 Karma

Raghav2384
Motivator

Trying owning /opt/splunk for splunk user and splunk group and try

0 Karma

hanshen
Explorer

Yes, this has been verified...

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...