Splunk Enterprise

Why is Splunk not starting on my Mac OS 10.12 after following documentation on starting Splunk Enterprise for the first time?

mvanorshoven
New Member

In the "Start Splunk Enterprise for the first time" topic of the Installation Manual, it reads:

"Double-click the Splunk icon on your desktop to launch the Splunk helper application, called Splunk's Little Helper.
The first time you run the helper application, it notifies you that it needs to perform an initialization."

When I click on the Splunk icon on my Mac OS 10.12, nothing happens.

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Meh. I wouldn't bother with a "helper." I've been running Splunk on MacOS for years, and I've never done that.
Open a terminal window. Navigate to wherever you installed Splunk. For me, it is /Applications/splunk. Then:

cd bin
./splunk start
# The first time that you start Splunk
# 1. Accept the license
# 2. Choose alternate ports if any of the ports that Splunk wants are blocked
# Now Splunk should be running!

This does not set up Splunk to run at boot time; you must start it yourself whenever you want to use it. This is what I prefer, as I don't want Splunk running continuously in the background. When you want to stop Splunk, you can do the same thing, but use "stop" instead of "start." I am not seriously indexing data on my laptop, so sometimes I forget to stop Splunk before I shutdown. So far, I have never had a problem starting it again the next time I run it.

By default, Splunk runs a web server on port 8000. So to use the Splunk user interface, just start a browser and type in the url: localhost:8000 [Although if you changed the port to something other than 8000 when you started Splunk, then do the right thing and change the port here, too!] I generally use Chrome or Firefox, but I hear that Safari also works well with Splunk.

In summary, Splunk runs in the background like a daemon. You can interact with it on the command line if you like - or you can use a browser to access the GUI. You don't need the helpers or shortcuts or any of that stuff. When you look in the documentation, the docs that apply to Linux will usually be identical to running Splunk on MacOS - just remember the directory where you installed Splunk.

View solution in original post

prasannat5
New Member

I faced the same issue after install. I have Mac High Sierra 10.13.3 and Installing Splunk 7.0.2.

I removed the splunk folder and re-installed. It worked as expected. (A popup appears asking what you would like to do. Click Start and Show Splunk. The login page for Splunk Enterprise opens in your browser window. - http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchTutorial/InstallSplunk#Mac_OS_X_installation...)

Then resolved homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem. error with

https://answers.splunk.com/answers/306998/why-am-i-getting-homepathoptsplunkvarlibsplunkaudi.html with OPTIMISTIC_ABOUT_FILE_LOCKING = 1.

Thanks!

0 Karma

lguinn2
Legend

Meh. I wouldn't bother with a "helper." I've been running Splunk on MacOS for years, and I've never done that.
Open a terminal window. Navigate to wherever you installed Splunk. For me, it is /Applications/splunk. Then:

cd bin
./splunk start
# The first time that you start Splunk
# 1. Accept the license
# 2. Choose alternate ports if any of the ports that Splunk wants are blocked
# Now Splunk should be running!

This does not set up Splunk to run at boot time; you must start it yourself whenever you want to use it. This is what I prefer, as I don't want Splunk running continuously in the background. When you want to stop Splunk, you can do the same thing, but use "stop" instead of "start." I am not seriously indexing data on my laptop, so sometimes I forget to stop Splunk before I shutdown. So far, I have never had a problem starting it again the next time I run it.

By default, Splunk runs a web server on port 8000. So to use the Splunk user interface, just start a browser and type in the url: localhost:8000 [Although if you changed the port to something other than 8000 when you started Splunk, then do the right thing and change the port here, too!] I generally use Chrome or Firefox, but I hear that Safari also works well with Splunk.

In summary, Splunk runs in the background like a daemon. You can interact with it on the command line if you like - or you can use a browser to access the GUI. You don't need the helpers or shortcuts or any of that stuff. When you look in the documentation, the docs that apply to Linux will usually be identical to running Splunk on MacOS - just remember the directory where you installed Splunk.

mvanorshoven
New Member

yes, splunk was running. I ended up putting it on a virtual machine. This was for a class exercise so I'm good now. I think that the 10.12 version of OS messed it up.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Update: The High Sierra issue is fixed in the Splunk Enterprise 7.1 release. The fix will also appear in a future 7.0.x maintenance release.

0 Karma

mvanorshoven
New Member

Ok, now, I have an idiot question. I am embarrassed to ask but I can't figure this out on my own. I did follow your instructions Lguinn. I also changed the config file per this thread: https://answers.splunk.com/answers/453977/macos-sierra-1012-kills-splunk.html and I added
OPTIMISTIC_ABOUT_FILE_LOCKING = 1
But when I go to localhost:8000 in my browsers both chrome and firefox... I get the following:
alt text

0 Karma

lguinn2
Legend

Is splunk running?

In a terminal window:

ps -ef | grep splunkd

and you will see if splunk is running, if it is not, then

cd /Applications/splunk   # or wherever you installled Splunk
./splunk start
0 Karma

mvanorshoven
New Member

Thanks Lguinn!

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...