Splunk Enterprise

Why am I unable to start Splunk Web or Splunkd Service?

madavis1986
Explorer

I have been trying to configure my Splunk instance (on Windows) to be run by an MSA.

I was never able to install Splunk and configure it to MSA execution in one single step. The closest I got to this goal was using the following command:

msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes LOGON_USERNAME=\Splunk LOGON_PASSWORD="" LAUNCHSPLUNK=0 /lv C:\SplunkInstall.log /qb

which resulted in the following SplunkInstall.log error:

SetupServiceConfig: Error: ChangeServiceConfig failed 0x421
SetupServiceConfig: Error: 0x80004005: Cannot setup splunkd
CustomAction SetupServiceConfig returned actual error code 1603 

(note this may not be 100% accurate if translation happened inside sandbox)

Instead, I tried to install Splunk to run as a "Local System" user (since I know this works when I use the MSI GUI) and then (prior to Splunk's first launch) manually change Splunk to run as the MSA. I got further along the process this way, as I was able to successfully install Splunk using the following cmdline:

msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes SPLUNKPASSWORD=MyNewPassword123 LAUNCHSPLUNK=0 /lv C:\SplunkInstall.log /qb

SplunkInstall.log reported no errors, and so I executed the steps to change the user executing Splunk as described here: http://docs.splunk.com/Documentation/Splunk/5.0.3/Installation/CorrectingtheuserselectedduringWindow...

The issue I am now facing is neither Splunkd Service service nor Splunk Web (legacy) are starting. When I attempted to start Splunk via cmdline, I found the following error in $SPLUNK_HOME\var\log\splunk\splunkd-utility.log:

ERROR UserManagerPro - The password cannot be set to the default password
ERROR AdminHandler:AuthenticationHandler - The password cannot be set to the default password.

Side Note: $SPLUNK_HOME\etc\passwd ends in the following test

... ::Administrator:admin:changeme@example.com::

When I attempted to start the service from the Windows' GUI "Services", I received the following pop-up error:

Windows could not start the Splunkd Service service on Local Computer
Error 1067: The process terminated unexpectedly.

Side note: In an attempt to fix the "Windows could not start the Splunkd Service" issue, I attempted the regedit command (regedit HKLM) detailed here: https://answers.splunk.com/answers/146016/windows-could-not-start-the-splunkd-or-splunkforwarder-ser...

This resulted in an error popup stating the following:

Cannot import HKLM: Error opening the file. There may be a disk or file system error.
Tags (2)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...