Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk forwarder starts, then throws an error saying splunk hasn't started.

bcurtiss
Engager
‎01-07-2013 12:50 PM

I'm trying to get a splunk forwarder running on a linux box, but when I try to tell the forwarder to forward to a specific indexer, it throws an error saying that Splunk is not running. Anyone ever have this issue? I'm trying to use version 4.3.5.

This is what I tried to do:

[root:/opt/splunkforwarder/bin]# ./splunk start

Splunk> Finding your faults, just like mom.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos...
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
[ OK ]
Done.[root:/opt/splunkforwarder/bin]# ./splunk add localhost myindexer.net:9997
Splunk is not running, and it must be for this operation. To start splunk, run "splunk start".
[root:/opt/splunkforwarder/bin]#

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bcurtiss
Engager
‎01-08-2013 11:26 AM

Thanks for the responses, but the problem was actually just because of a crappy firewall rule. I ended up running an strace and saw that it was failing on connect(); I fixed the rule and everything is fine now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bcurtiss
Engager
‎01-08-2013 11:26 AM

Thanks for the responses, but the problem was actually just because of a crappy firewall rule. I ended up running an strace and saw that it was failing on connect(); I fixed the rule and everything is fine now.

0 Karma
Reply
Solved! Jump to solution

tbarnard
Explorer
‎01-08-2013 10:17 AM

I've seen that behavior before when there old PID file is stuck. With splunk stopped check and see if /opt/splunkforwarder/var/run/splunk/splunkd.pid is still there and delete it if it is. Then start splunk again.

0 Karma
Reply
Solved! Jump to solution

tbarnard
Explorer
‎01-07-2013 04:18 PM

Have you started splunkforwarder before? The first time splunk starts you will need to accept it's license.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-07-2013 02:04 PM

try ./splunk status to see what is the process doing.
and check the internal logs in $SPLUNK_HOME/var/log/splunk/splunkd.log for errors.

Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...