Spunkd failed to start after Enable APP "Universal...

iorp01 · ‎04-11-2011

Hi there,

I'm running Splunk in a Testenvironment and I'm just trying to deploy the universal forwarder to some other W2K8 Servers. To do this, I wanted to enable the App in the Splunk-Webinterface. After doing that, the Splunk-Service on the Server has to be manually restarted. When I try to do this, the service starts up, but after 5 five seconds the service goes into the stopped-state again. Only when I manually edit the app.conf to state = disabled, the service starts again. But of course the app is disabled then. I don't know what I'm doing wrong. Does anyone know what to do?

The only errormessage I get is in the Eventlog: Faulting application name: splunkd.exe, version: 0.0.0.0, time stamp: 0x4d7a0138 Faulting module name: KERNELBASE.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdfe0 Exception code: 0xeeab5254 Fault offset: 0x000000000000aa7d Faulting process id: 0x934 Faulting application start time: 0x01cbf816567f4172 Faulting application path: C:\Program Files\Splunk\bin\splunkd.exe Faulting module path: C:\Windows\system32\KERNELBASE.dll Report Id: 9c94e584-6409-11e0-b367-005056bf0053

Thanks in advance, Pascal

ftk · ‎04-11-2011

Instead of installing a regular Splunk instance and then enabling an app (as you would do with the lightweight forwarder), you must deploy the UniversalForwarder using a separate installer, available here: http://www.splunk.com/download/universalforwarder

Here is the relevant documentation to installing the UF on Windows: http://www.splunk.com/base/Documentation/latest/Deploy/DeployaWindowsdfmanually

Spunkd failed to start after Enable APP "Universal Forwarder"

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!