Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk 9.4.3 docker image failed to start

dbloms
Explorer
‎07-22-2025 11:38 AM

Hello,

I start splunk 9.4.3 as a docker container from the image registry.hub.docker.com/splunk/splunk:latest.
However, it terminates after approx. 60 seconds with the message:

TASK [splunk_standalone : Get existing HEC token] ******************************
fatal: [localhost]: FAILED! => {
"changed": false
}

MSG:

GET/services/data/inputs/http/splunk_hec_token?output_mode=jsonadmin********8089NoneNoneNone[200, 404];; AND excep_str: URL: https://127.0.0.1:8089/services/data/inputs/http/splunk_hec_token?output_mode=json; data: None, exception: API call for https://127.0.0.1:8089/services/data/inputs/http/splunk_hec_token?output_mode=json and data as None failed with status code 401: {"messages":[{"type": "ERROR", "text": "Unauthorised"}]}, failed with status code 401: {"messages":[{"type": "ERROR", "text": "Unauthorised"}]}

PLAY RECAP *********************************************************************
localhost : ok=69 changed=3 unreachable=0 failed=1 skipped=69 rescued=0 ignored=0

If I start the container with "sleep infinity" and then exec into the container I can start splunk with "splunk start" and splunk works perfectly.
Can anyone tell me what the problem is?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thahir
Communicator
‎07-23-2025 05:20 AM

The error indicates the automation can't authenticate against 127.0.0.1:8089

Accept the license and try with below

docker run -d \
--name splunk \
-e SPLUNK_START_ARGS="--accept-license" \
-e SPLUNK_PASSWORD="yourpassword" \
splunk/splunk:latest

View solution in original post

Reply
Solved! Jump to solution
Solution

thahir
Communicator
‎07-23-2025 05:20 AM

The error indicates the automation can't authenticate against 127.0.0.1:8089

Accept the license and try with below

docker run -d \
--name splunk \
-e SPLUNK_START_ARGS="--accept-license" \
-e SPLUNK_PASSWORD="yourpassword" \
splunk/splunk:latest

Reply
Solved! Jump to solution

dbloms
Explorer
‎07-23-2025 06:55 AM

Yes, you are right.

The admin password was changed, now it it starts without problems.

Many thanks to you, you saved my day!

0 Karma
Reply
Solved! Jump to solution

thahir
Communicator
‎07-23-2025 08:17 AM

hi @dbloms ,

Glad to hear.

happy splunking!

P.S.: Karma Points are appreciated by me and the other contributors 🙂 

 

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎07-22-2025 03:09 PM

Hi @dbloms 

What env variables and/or configs are you passing through to this container? 

Thanks

Will

Reply
Solved! Jump to solution

dbloms
Explorer
‎07-22-2025 08:53 PM

Hello @livehybrid ,

thank you for your support!

I've set the following environment variables:

SPLUNK_START_ARGS: --accept-license
TZ: Europe/Berlin
SPLUNK_PASSWORD: XXXXXXX

I run splunk on a kubernets (k3s)  cluster, so there are many variables managed by k3s.

I've uploaded the output a a failed start to https://bloms.de/download/splunk-failed-start.txt

 

Thank you

Dieter

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...