In the "Start Splunk Enterprise for the first time" topic of the Installation Manual, it reads:
"Double-click the Splunk icon on your desktop to launch the Splunk helper application, called Splunk's Little Helper.
The first time you run the helper application, it notifies you that it needs to perform an initialization."
When I click on the Splunk icon on my Mac OS 10.12, nothing happens.
Meh. I wouldn't bother with a "helper." I've been running Splunk on MacOS for years, and I've never done that.
Open a terminal window. Navigate to wherever you installed Splunk. For me, it is
cd bin ./splunk start # The first time that you start Splunk # 1. Accept the license # 2. Choose alternate ports if any of the ports that Splunk wants are blocked # Now Splunk should be running!
This does not set up Splunk to run at boot time; you must start it yourself whenever you want to use it. This is what I prefer, as I don't want Splunk running continuously in the background. When you want to stop Splunk, you can do the same thing, but use "stop" instead of "start." I am not seriously indexing data on my laptop, so sometimes I forget to stop Splunk before I shutdown. So far, I have never had a problem starting it again the next time I run it.
By default, Splunk runs a web server on port 8000. So to use the Splunk user interface, just start a browser and type in the url:
localhost:8000 [Although if you changed the port to something other than 8000 when you started Splunk, then do the right thing and change the port here, too!] I generally use Chrome or Firefox, but I hear that Safari also works well with Splunk.
In summary, Splunk runs in the background like a daemon. You can interact with it on the command line if you like - or you can use a browser to access the GUI. You don't need the helpers or shortcuts or any of that stuff. When you look in the documentation, the docs that apply to Linux will usually be identical to running Splunk on MacOS - just remember the directory where you installed Splunk.
Ok, now, I have an idiot question. I am embarrassed to ask but I can't figure this out on my own. I did follow your instructions Lguinn. I also changed the config file per this thread: https://answers.splunk.com/answers/453977/macos-sierra-1012-kills-splunk.html and I added
OPTIMISTICABOUTFILE_LOCKING = 1
But when I go to localhost:8000 in my browsers both chrome and firefox... I get the following:
Is splunk running?
In a terminal window:
ps -ef | grep splunkd
and you will see if splunk is running, if it is not, then
cd /Applications/splunk # or wherever you installled Splunk ./splunk start
yes, splunk was running. I ended up putting it on a virtual machine. This was for a class exercise so I'm good now. I think that the 10.12 version of OS messed it up.
Update: The High Sierra issue is fixed in the Splunk Enterprise 7.1 release. The fix will also appear in a future 7.0.x maintenance release.
I faced the same issue after install. I have Mac High Sierra 10.13.3 and Installing Splunk 7.0.2.
I removed the splunk folder and re-installed. It worked as expected. (A popup appears asking what you would like to do. Click Start and Show Splunk. The login page for Splunk Enterprise opens in your browser window. - http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchTutorial/InstallSplunk#Mac_OS_X_installation...)
Then resolved homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem. error with
https://answers.splunk.com/answers/306998/why-am-i-getting-homepathoptsplunkvarlibsplunkaudi.html with OPTIMISTICABOUTFILE_LOCKING = 1.