Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- splunk 9.4.3 docker image failed to start
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I start splunk 9.4.3 as a docker container from the image registry.hub.docker.com/splunk/splunk:latest.
However, it terminates after approx. 60 seconds with the message:
TASK [splunk_standalone : Get existing HEC token] ******************************
fatal: [localhost]: FAILED! => {
"changed": false
}
MSG:
GET/services/data/inputs/http/splunk_hec_token?output_mode=jsonadmin********8089NoneNoneNone[200, 404];; AND excep_str: URL: https://127.0.0.1:8089/services/data/inputs/http/splunk_hec_token?output_mode=json; data: None, exception: API call for https://127.0.0.1:8089/services/data/inputs/http/splunk_hec_token?output_mode=json and data as None failed with status code 401: {"messages":[{"type": "ERROR", "text": "Unauthorised"}]}, failed with status code 401: {"messages":[{"type": "ERROR", "text": "Unauthorised"}]}
PLAY RECAP *********************************************************************
localhost : ok=69 changed=3 unreachable=0 failed=1 skipped=69 rescued=0 ignored=0If I start the container with "sleep infinity" and then exec into the container I can start splunk with "splunk start" and splunk works perfectly.
Can anyone tell me what the problem is?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error indicates the automation can't authenticate against 127.0.0.1:8089
Accept the license and try with below
docker run -d \
--name splunk \
-e SPLUNK_START_ARGS="--accept-license" \
-e SPLUNK_PASSWORD="yourpassword" \
splunk/splunk:latest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error indicates the automation can't authenticate against 127.0.0.1:8089
Accept the license and try with below
docker run -d \
--name splunk \
-e SPLUNK_START_ARGS="--accept-license" \
-e SPLUNK_PASSWORD="yourpassword" \
splunk/splunk:latest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you are right.
The admin password was changed, now it it starts without problems.
Many thanks to you, you saved my day!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @dbloms ,
Glad to hear.
happy splunking!
P.S.: Karma Points are appreciated by me and the other contributors 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @livehybrid ,
thank you for your support!
I've set the following environment variables:
SPLUNK_START_ARGS: --accept-license
TZ: Europe/Berlin
SPLUNK_PASSWORD: XXXXXXXI run splunk on a kubernets (k3s) cluster, so there are many variables managed by k3s.
I've uploaded the output a a failed start to https://bloms.de/download/splunk-failed-start.txt
Thank you
Dieter
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
