Splunk Search

How to get the "splunk" command working with Windows 2008 and UAC?

Lowell
Super Champion

This may be more of a Windows UAC question than a splunk question, but I'm guessing that others are going to be running into this too. (I don't have a lot of Win2k8 experience, so please forgive me if I'm missing something obvious.)

Whenever I try to run a "splunk" command from a Command Prompt on my Win2k8R2 box, I get prompted with a "User Account Control" dialog box:

Do you want to allow the following program to make changes to this computer?

Program name: splunk.exe
Verified publisher: Splunk Inc
File origin: Hard drive on this computer Program location: "C:\Program Files\Splunk\bin\splunk.exe" test sourcetype H:\ArchivedLogs\log_archive.log

If I say "Yes" and allow the program to run, then splunk is run in a new Command Prompt window that flashes open, and for a split second I can see some text, but then it closes down before I can read anything.

I've also tried using the runas utility, but then I get the message:

RUNAS ERROR: Unable to run - splunk test sourcetype H:\ArchivedLogs\log_archive.log
740: The requested operation requires elevation.

If you are just running splunk start or something like that, then this doesn't matter too much, but there are plenty of command that have output that I need to be able to see. (Such as "splunk test sourcetype <file>", or even a simple "splunk help")

Any help would be appreciated.


I have a couple Win2k8R2 servers setup with splunk and I've run into this issue on all of them so far. (I've tried this with various Splunk 4.1.x versions). All of these installs have splunk running as the default local SYSTEM user.

I've tried a few different runas commands with no luck (but I could be missing something). Any attempts to redirect the standard output hasn't worked either.

1 Solution

justinhart
Path Finder

When opening the command prompt, run it as Administrator. I tested this and it seems to get rid of the "Do you want to allow the following program to make changes to this computer?" box and separate cmd window.

View solution in original post

justinhart
Path Finder

When opening the command prompt, run it as Administrator. I tested this and it seems to get rid of the "Do you want to allow the following program to make changes to this computer?" box and separate cmd window.

justinhart
Path Finder

UAC is not dependent on the system groups. Essentially nothing is ran as Administrator unless you specifically tell it to.

0 Karma

Lowell
Super Champion

The migration crash seems to be related to yet another permissions issue. (I'm guessing Administrator vs SYSTEM?) But whatever, I think this is the right answer. Although, I still don't understand why this works as the "Administrator" user, but not for a user who is in the Administrator group.

0 Karma

ftk
Motivator

justinhart's solution is how I handle it in my environment as well.

0 Karma

Lowell
Super Champion

Yeah, that does get rid of the UAC stuff, but I'm being told that a new version of Splunk was installed and the upgrade process needs to be run. Unfortunately it crashes during the migration.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...