Security

Not prompted for Splunk user upon installation

byu168
Path Finder

Hi, I'm trying to migrate my Splunk instance from an AWS VM to a GCP VM.

I copied over this file splunk-6.5.0-59c8927def0f-Linux-x86_64.tgz to my new GCP instance and ran the following commands

sudo tar xvzf splunk-6.5.0-59c8927def0f-Linux-x86_64.tgz -C /opt
sudo useradd splunk -d /opt/splunkforwarder
sudo passwd splunk
sudo chown -R splunk:splunk $SPLUNK_HOME
./splunk start

The install goes fine except I get this message "Your license is expired. Please login as an administrator to update the license." I'm not sure what license this is referring to.

During the installation I wasn't prompted to create a Splunk user so I have no log in for the Web UI.

I tried using this to add a user but I got blocked because there's no Splunk username to use

$ ./splunk edit user admin -password mooredna
Splunk username: admin
Password:
Login failed
$ exit

Can someone point out what I'm doing wrong?

0 Karma
1 Solution

byu168
Path Finder

I figured out the issue. I had to copy over my files from the original instance first before unpacking the tar file

View solution in original post

0 Karma

byu168
Path Finder

I figured out the issue. I had to copy over my files from the original instance first before unpacking the tar file

0 Karma

renjith_nair
Legend

@byu168,

Most probably you have a Free license which will not prompt for a user name password
What you should know about switching to Free

Splunk Enterprise Trial gives you access to a number of features that are not available in Splunk Free. When you switch, be aware of the following:

    User accounts or roles that you created no longer work.
    Anyone connecting to the instance will automatically be logged on as admin. You will no longer see a login screen, though you will see the update check occur.
    Any knowledge objects created by any user other than admin (such as event type, transaction, or source type definitions) and not already globally shared will not be available. If you need these knowledge objects to continue to be available after you switch to Splunk Free, you can do one of the following:
        Use Splunk Web to promote them to be globally available before you switch. See Manage app and add-on objects.
        Hand edit the configuration files they are in to promote them. See App architecture and object ownership.
    Any alerts you defined no longer trigger. You no longer receive alerts from Splunk software. You can still schedule searches to run for dashboards and summary indexing purposes.
    Configurations in outputs.conf to forward to third-party applications in TCP or HTTP formats do not work.

When you attempt to make any of the above configurations in Splunk Web while using an Enterprise Trial license, you will be warned about the above limitations in Splunk Free. 

Additionally , your directory is /opt/splunkforwarder. If you are trying to install a forwarder, you need to download the forwarder package which is different from normal package. If you are trying to install HF, then you may configure it as slave license master or install with the forwarder license

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...