This morning after rebooting my computer with splunk on it, Splunk refuses to start.
Trying to investigate the problem, I found a few odd things. The most likely error is identified by a message [Conf is currently being modified by process 4432] which occurs on a number of attempts at starting splunk, or trying to check licence via cli, for instance. The strange thing is that there does not seem to be a process 4432 running on my computer!
Has Splunk got corrupted somehow?
Here is an odd extract from the logs:
01-28-2013 02:30:55.412 +0800 INFO LicenseMgr - Initing LicenseMgr runContext_splunkd=false
01-28-2013 02:30:55.412 +0800 INFO LMStackMgr - closing stack mgr
01-28-2013 02:30:55.412 +0800 INFO LMSlaveInfo - all slaves cleared
01-28-2013 02:30:55.422 +0800 INFO LMStackMgr - created stack='download-trial'
01-28-2013 02:30:55.422 +0800 INFO LMStackMgr - have to auto-set active stack group='Trial' reason='invalid/missing group id' gidStr='' oldGid=Invalid
I start splunk via the CLI as:
"$ sudo /opt/splunk/bin/splunk start"
I then get the following:
"Splunk> Winning the War on Error
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking indexes...
Validated databases: _audit _blocksignature _internal _thefishbucket history main os sos sos_summary_daily summary
Done
Checking filesystem compatibility... Done
Checking conf files for typos... Done
All preliminary checks passed.
Conf is currently being modified by process 4432.
Conf is currently being modified by process 4432.
Conf is currently being modified by process 4432.
Conf is currently being modified by process 4432.
Conf is currently being modified by process 4432.
Conf is currently being modified by process 4432.
Starting splunk server daemon (splunkd)...
Timed out waiting for splunkd to start.
Starting splunkweb... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://wolfgang:8000"
and on attempting to reach splunk via the web interface, I get:
"The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running."
With the following at the bottom of the screen:
"You are using wolfgang:8000, which is connected to splunkd @000 at https://127.0.0.1:8089 on Mon Jan 28 04:52:13 2013."
The @000 seems a bit odd, no?
... View more