I followed the basic install of spunk (64-bit) and placed the tar install in /opt/splunk. I successfully started the splunk service.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos...
All preliminary checks passed.
Starting splunk server daemon (splunkd)... [ OK ]
However, when I attempt to connect to the website at: http://localhost:8000 I get a page cannot be found. I noted the mgmt port is the only one that seems to exist (show above). So I tried http://localhost:8089. It didn't work either. Is there some missing step? Do I need to define some virtual directory in Apache Web Server to point to something in Splunk's /opt/splunk directory?
Any tips are welcome.
Splunk comes with its own CherryPy based webserver called SplunkWeb. I would have expected a similar output for Splunkweb starting, with messages like:
Checking http port [8000]: open
Starting splunkweb... Done.
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com/Documentation/Splunk
The Splunk web interface is at http://x.y.com:8000
My first guess would be you installed the universal forwarder tarball, which does not include Splunkweb, and is intended as an "endpoint" or "agent" installation. Go get the full tarball and give it a try. (Or get the RPMs, "they're tasty" says yum)
Is anything listening on port 8000? Not sure if they've fixed it for 4.3, but the 4.2 UF would also say after installation to connect on port 8000 locally.
You ask about firewalls, have you looked at the configuration of IPtables? "/sbin/iptables --list" will show the firewall rules currently in affect. You could also "/sbin/service iptables stop" or "/sbin/iptables --flush" to disable them temporarily
I even hacked the "splunk-launch.conf" and added "SPLUNK_BINDIP=192.168.1.2". Then restarted the whole splunk:
...
Checking http port [192.168.1.2:8000]: open
Checking mgmt port [192.168.1.2:8089]: open
Checking configuration... Done.
Checking index directory...
Validated databases: _audit _blocksignature _internal _thefishbucket history main summary ...
The Splunk web interface is at http://[192.168.1.2]:8000
However, its still does NOT let me view anything on http://192.168.1.2:8000. Is there some firewall setting? or perhaps Apache (httpd) is blocking?
Although it appears that a full install is on the machine...
Starting splunk server daemon (splunkd)...
[ OK ]
[ OK ]
Done.Starting splunkweb... Done.
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com/Documentation/Splunk
The Splunk web interface is at http://127.0.0.1:8000
.....the address I am hitting it at http://192.168.2.1:8000 tells me that no page can be found. I am running CentOS6, httpd, mysql, and Webmin 1.560.
If the directory that the user sees on the system is actually "/opt/splunk" then, unless they've changed it, I believe that would indicate it's the full version.
It is possible though that they've either 1) somehow managed to disable the web server by setting their full instance to LWF mode... or 2) maybe SELinux is blocking something?
I installed the correct version....
The Splunk web interface is at http://127.0.0.1:8000
However, the static IP address for the Linux machine which differs from the localhost IP address still says the web page cannot be found. Is there some "config" file I need to hack to put in the actual static IP? Thanks.