Splunk Enterprise

Attempting to revert the SPLUNK_HOME ownership?

Skeer-Jamf
Path Finder

This happens regardless of it I am installing fresh or upgrading to version 9.1.0.1an existing install. Every action that involves the splunk binary prepends all output with:

Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunkfwd /opt/splunkforwarder"

 

I've tried manually running that, as Root! And it still persists even though now the contents under /opt/splunkforwarder are owned by splunkfwd recursively!

Labels (2)
0 Karma

Skeer-Jamf
Path Finder

Thank you Sanjay,  so yet another known issue huh? Upgrading/installing version 9 has a few it seems.

So, being as though I'm sure this is low priority is there any ETA on it at all? I have automation that handles the installing of the UF. Now when checking the returns/results of a service restart I need to make sure to include bits to ensure the 'Warning' generated doesn't cause me problems.

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @Skeer-Jamf 

this is known issue, as long as splunkforwarder owned by correct user and working as expected, it wont cause any issue, refercene to known issues of UF

https://docs.splunk.com/Documentation/Splunk/9.1.0/ReleaseNotes/Knownissues 

SanjayReddy_0-1689619301268.png

 

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated.
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

patng_nw
Communicator

I want to point out that these two warnings are breaking my jobs because on some machines I am using the splunkforwarder CLI to run query on the splunk cluster and export the result to files.  

https://docs.splunk.com/Documentation/Splunk/9.1.1/Search/ExportdatausingCLI

These two extra warning lines were now written to the export files as well.

I think it is ok for the CLI to print warnings, but the splunk CLI should follow the best practice and write these warnings to the stderr.  But it's writing them to the stdout, so that we can't use the standard practice of " 2> err.txt 1> export.csv" to handle warnings.

Now I have to add these to ALL the script files which are running the splunkforwarder CLI, which is pretty ugly:
" | grep -vi "warning:" > export.csv"

Wish there is a flag to disable warnings, or the splunkforwarder CLI should at least write them to stderr instead of stdout.

0 Karma

jfrench
Loves-to-Learn Lots

It is a breaking issue as I cannot run btool on my forwarders that are throwing this message. 

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...