Security

Why am I getting "HTTP Error 404. The requested resource is not found." trying to open Splunk (localhost:8000) after installation?

Path Finder

Hi,

I just installed Splunk for the first time. When trying to open Splunk (localhost:8000) it just fails and I get an "HTTP Error 404. The requested resource is not found." error.
After searching for answers to this problem, I found this http://answers.splunk.com/answers/58888/what-are-the-ports-that-i-need-to-open.html and opened all the ports mentioned, yet I still get that error.
I use Windows 8.
Where else could the problem be and how can I solve it?

Upon suggestion whether the services are started:
Splunkd is running but while trying to start splunkweb I receive "Error 1053: The service did not respond to the start or control request in a timely fashion." Then I searched for it and found http://answers.splunk.com/answers/103302/splunkweb-service-is-not-being-started.html (he has the exact same problem) but unfortunately again only the Splunkd service starts. Also the description at the service states "splunkweb (legacy purposes only): The splunkweb service, which handled all Splunk Web operations and sent requests to the splunkd service, has been disabled stating in Splunk 6.2. The splunkd service now handles all Splunk Enterprise services in normal operation. On Windows, the splunkweb service installs, but does not run by default." So I try to start in legacy mode (http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/StartSplunk#Start_Splunk_Enterprise_on_Windo...), now the splunkweb service is running indeed but when opening splunk I still get the same 404 error.

Thanks in advance!

New Member

Hi,

I first time installed in windows while my port 8001 works but port 8000 give errors. May I know the windows commands to troubleshoot this problem.

Thanks in Advance

0 Karma

SplunkTrust
SplunkTrust

@pranzm, Check from Task Manager whether port number 8000 is available.
You can also try starting splunk from command prompt which will show you underlying steps that Splunk performs and before launching Splunk it also check for whether Port 8000 is available or not.

<YourSplunkPath>\bin\splunk start
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

netstat -ao |findstr 8000

The above will give you the PID of the process that is using it

tasklist /FI "PID eq xxxx" (where xxxx = PID from command above)

The above will give you the process that is using the port.

0 Karma

SplunkTrust
SplunkTrust
C:\Users\user>netstat -ao| findstr 8000
  TCP    0.0.0.0:8000           computerName:0          LISTENING       3832

C:\Users\user>tasklist /FI "PID eq 3832"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
splunkd.exe                   3832 Services                   0    112,080 K
0 Karma

I downvoted this post because i mistook the question as the problem i had

0 Karma

Community Manager
Community Manager

@madura.eleperuma@dna.com.au.splk

This is not how things work in this community. You don't just downvote people's questions because it didn't specifically cater to your issue. How is it other people's fault that the issue they posted 1 year ago wasn't directly related to one person's problem today? You're not going to downvote every single question on here that isn't related to what you're looking for right? You should only downvote people's questions, answers, or comments if whatever they are suggesting in their content is not best practice/could possibly break something in other users' environments.

Please refer to this post on how voting etiquette works in this community forum:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

0 Karma

I'm sorry for my misunderstanding here. I just wanted to remove the vote I accidentally placed thinking it was the same issue i was facing. I accept my mistake was unaware of the usage. I have corrected it now

Community Manager
Community Manager

No worries, thank you for coming back to follow up with this so quickly. I (and the rest of the Splunk Community) appreciate it 🙂 I hope you find a solution for your Cisco Security Suite question soon!

Patrick

0 Karma

Engager

Before trying the legacy mode, just try to open the splunk enterprise in 8001 port.
http://localhost:8001/
most of the time it works. Happy Splunking

Engager

@sandipta : Your solution works like a CHARM 🙂 🙂

0 Karma

Engager

this worked for me. can this be put in documentation as well?

0 Karma

New Member

port 8001 works for me too.

0 Karma

SplunkTrust
SplunkTrust

Sounds like you are misconfigured somewhere.
Run this:

$SPLUNK_HOME/bin/splunk cmd btool web list --debug | grep 800

Where $SPLUNK_HOME is where you installed Splunk. Look for the port setting for 800 and make sure it is set right. The command above will show you where the configuration is coming from.

The second thing to check is permissions. Make sure that the entire $SPLUNK_HOME folder is owned with group of the user running Splunk. Assuming your are using user splunk, you can do this:

chown -R splunk: $SPLUNK_HOME

Path Finder

Hi, thanks for your answer. I used the first command (findstr instead of grep since I use Windows 😎 . It says it's in the etc\system\local\web.conf httpport = 8000. Which is the file I changed (see begin post) in order to get splunkweb to run, so that does makes sense. Then I started splunk manually in my command prompt. It says that port 8000 is already bound and I had to input another port and when go to that other port Splunk is indeed working. When I check for port 8000 it seems that PID is 4 which means port 8000 is listening to System. I know for sure that this port was open before I was doing that splunkweb legacy mode thing because splunk.exe start worked without command prompt asking for another port. Stopped all apps but no success, I'll just give up and use port 8001 instead.

0 Karma

Splunk Employee
Splunk Employee

As what user are you running the Splunk service?

0 Karma

Path Finder

Sorry for the late reply. After following the tutorial to use in legacy mode I changed the content of the web.conf to port 8000. The one in the local folder was directing to port 8001. It still didn't work. But I check localhost:8001 and there it was! It's strange because still everything is set to 8000. I don't know where else (other than the local web.conf file that at first was directing to 8001) it says to go to 8001 instead of 8000. So it solved partially. As the Splunk shortcut still goes to localhost:8000 and I don't know in which file I can see where else 8001 is stated.

0 Karma

Engager

Thanks for this. Changing to 8001 worked for me. Hope this helps other people.
I changed the web.conf file to point at 8000 and restarted the service. It said that port 8000 was being used by another service.

0 Karma

SplunkTrust
SplunkTrust

Are splunkd and splunkweb running?

---
If this reply helps you, an upvote would be appreciated.

Path Finder

@richgalloway good one! The splunkweb service did not work initally. I edited this in the original question. Now it's running but I still get that error.

0 Karma