Security

Splunk Port 8000 doesn't work

New Member

Hi
i installed splunk 4.2.3-105575 on ubuntu 10.4 x64 without errors.
Started splunk as shown below:

root@XXXXX:/opt/splunk/bin# ./splunk start
Splunk> Take the sh out of IT.

Checking prerequisites...

    Checking http port [8000]: open
    Checking mgmt port [8089]: open
    Checking configuration...  Done.
    Checking index directory...
    Validated databases: _audit _blocksignature _internal _thefishbucket history main summary
    Done
Success

Checking conf files for typos...
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done.
Starting splunkweb... Done.

If you get stuck, we're here to help.
Look for answers here: http://www.splunk.com/base/Documentation

The Splunk web interface is at http://XXXXX:8000

When i tried to open the interface doesn't show anything. Gives me a time out error.

Looking to cpu tasks, i have:

root     18174     1  0 11:40 ?        00:00:01 splunkd -p 8089 start
root     18175 18174  0 11:40 ?        00:00:00 splunkd -p 8089 start

And if i look to open ports, i have:

tcp        0      0 *:8089                  *:*                     LISTEN

Where is the web port??
Where is the web splunk??
And if i tried to enable splunk web (like splunk docs)... it say:

Splunk is not running, and it must be for this operation. To start splunk, run "splunk start".

Please HELP!

Thanx
Best Regards

Pedro Silva

0 Karma
1 Solution

Ultra Champion

Have you tried any of the following;

/opt/splunk/bin/splunk status

This will ask splunk to report status and pid for splunkd and splunkweb

netstat -an | grep 8000

should tell you if there is something listening on port 8000

ps aux | grep mrsparkle

find through ps if the splunkweb process is running

Other than that, you should check out the log files in /opt/splunk/var/log/splunk to see if there are any errors.

You mention a timeout, is that your browser timing out while trying to reach the webgui, or the webgui timing out trying to connect to the splunkd?

Hope this helps a little bit anyway. Any more information you could share would be beneficial.

/kristian

View solution in original post

0 Karma

New Member

please add your Ip to the routing table

0 Karma

Ultra Champion

Have you tried any of the following;

/opt/splunk/bin/splunk status

This will ask splunk to report status and pid for splunkd and splunkweb

netstat -an | grep 8000

should tell you if there is something listening on port 8000

ps aux | grep mrsparkle

find through ps if the splunkweb process is running

Other than that, you should check out the log files in /opt/splunk/var/log/splunk to see if there are any errors.

You mention a timeout, is that your browser timing out while trying to reach the webgui, or the webgui timing out trying to connect to the splunkd?

Hope this helps a little bit anyway. Any more information you could share would be beneficial.

/kristian

View solution in original post

0 Karma

New Member

Hi. Sorry for the delay.
No luck! tried everything you said and still not working. The splunkweb just stop before starting normally
:( thanx anyway... Regards

0 Karma

Ultra Champion

Are there any permissions-related issues involved... Under what user is Splunk running - 'root' or 'splunk'? (or something else?). If running as 'splunk' (or any other non-privileged account), are there ANY files in the /opt/splunk/* directories that are owned by root?

In that case, change the ownership of the files to 'splunk'. Just to be sure;
stop splunk
chown -R splunk:splunk /opt/splunk/
start splunk again.

Sorry if this does not solve your problem, but then you should probably post a question to Splunk Support.

/K

0 Karma

Ultra Champion

I assume that you did a full restart (of splunk) after setting the ip-address. I'm sort of running out of ideas...

Are you sure that there is nothing else running on port 8000, or that you for some reason do not have high enough privileges?

Have you tried to connect to port 8000 with telnet or netcat, when splunk is NOT running?

Have you tried to start splunkweb on a different port? Either through editing the web.conf file or through the CLI, e.g. /opt/splunk/bin/splunk set web-port 7000

/k

0 Karma

New Member

FYI only - -if it helps -- i had similar situation.. there was few changes on " iptables" .. I tried restarting splunk n times -- Splunk starts OK -- even says i am avl on web but you still cant see it on web.

Solution which worked for me includes
1. checked all the splunk configs
./splunk show web-port
check startwebserver =1
./splunk cmd btool web list --debug |grep startwebserver

All fine

  1. Restart iptables services (this may not relevant in your case - i did this because we wanted port open etc)
  2. Linux server - rebot ( This was the imp bit -- please do this only in planned process and let Infra and users know etc)
  3. After server was up one final check on the ./splunk status -- worked
0 Karma

New Member

Hi Kristian

i changed th value on server.socket and made a copy of web.conf 😉 but still not working
:(

log's file:

2011-10-24 15:14:31,046 ERROR [4ea5727a482fd5d10] root:493 - Unable to start splunkweb
2011-10-24 15:14:31,046 ERROR [4ea5727a482fd5d10] root:494 - Port 8000 not bound on '10.255.0.254'

best regards

Pedro

0 Karma

Ultra Champion

If the change suggested in the link above solves your problem, please make the change to /opt/splunk/etc/system/local/web.conf instead of /opt/splunk/etc/system/default/web.conf. Why? Because any 'default'-directories get overwritten when you upgrade Splunk, and your change will then be lost.

Note that if there is no web.conf in 'local', you can just copy the it from the 'default' directory. Parameters set in 'local' .conf files override parameter settings in 'default'.

Do not edit anything in a 'default' directory.

/kristian

0 Karma

Ultra Champion

Hm well, there could be a number of reasons for things not working properly. You could have a look at the following link, which discusses the error you mention.

http://www.splunk.com/support/forum:SplunkAdministration/3620

The short of it is that you may have to set the desired IP-address in web.conf. See the post for details.

Good luck,

Kristian

0 Karma

New Member

Hi Kristian...

the splunkweb just stoped!
i start the service and then stoped.
i looked the web_service.log and said:

Port 8000 not bound on '0.0.0.0'

but i not using this port for anything 😞
in the splunkd log file doesn't give me any error

thanx
Pedro

ps: i have 5 NIC's on this machine... that could be a problem? i want to access only from one NIC

0 Karma

New Member

Hi Kristian

Thanx.

when starting splunk... despite the alert (port 8000 open....) the splunkweb didn't started...

problem fixed with ./splunk start and ./splunk start splunkweb

best regards

Pedro

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!