Installation

After downloading the free trial, why do I get the error "cannot accept license agreement"?

brentpulmans
Engager

For a project in our company, I would like to test whether Splunk would be a good choice. I downloaded the free trial and tried to start it, but after the License Agreement is shown, I get the following error after entering 'y':

Warning: cannot create "opt/splunk/etc/licenses/download-trial"

I am using an Ubuntu 16.04 server. For testing, I work with a virtual machine. The command I used to start Splunk is the following: sudo ./splunk start

What might be wrong?

Thanks for your help!

Labels (1)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

The tar file for Splunk uses a user with userid #506 if I recall correctly, and that UID doesn't exist on your system. At least, it's never existed on any of MY systems. 🙂

You can see this if you

cd /opt
ls -l

When you'll do that, you'll see that the user listed isn't valid and shows a number instead of a name. (If you `ls -l in another folder you'll see real names for things).

The docs are missing a step. Since you are running as root (which is not ideal, but it will work well enough in a test environment), you should be able to add one little step in the middle.

sudo tar xvzf splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz -C /opt
chown -R root:root /opt/splunk
cd /opt/splunk/bin
sudo ./splunk start

To be honest, I don't really know if user:group root:root is really correct, you may want root:adm or something, because I've never installed as root for security reasons. It probably won't matter much, but I would suggest looking at some other system binaries owned by root and seeing what user:group they're in and mimic that for Splunk.

Happy Splunking!
-Rich

View solution in original post

Padillaz
Loves-to-Learn

Same just happened to me, I'm a Cybersecurity student, running Splunk in a VM for my digital forensics course. I just used the command "sudo ./splunk start" and I got past the license agreement.

0 Karma

Richfez
SplunkTrust
SplunkTrust

The tar file for Splunk uses a user with userid #506 if I recall correctly, and that UID doesn't exist on your system. At least, it's never existed on any of MY systems. 🙂

You can see this if you

cd /opt
ls -l

When you'll do that, you'll see that the user listed isn't valid and shows a number instead of a name. (If you `ls -l in another folder you'll see real names for things).

The docs are missing a step. Since you are running as root (which is not ideal, but it will work well enough in a test environment), you should be able to add one little step in the middle.

sudo tar xvzf splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz -C /opt
chown -R root:root /opt/splunk
cd /opt/splunk/bin
sudo ./splunk start

To be honest, I don't really know if user:group root:root is really correct, you may want root:adm or something, because I've never installed as root for security reasons. It probably won't matter much, but I would suggest looking at some other system binaries owned by root and seeing what user:group they're in and mimic that for Splunk.

Happy Splunking!
-Rich

FrankVl
Ultra Champion

Can you perhaps summarize the steps you took to install Splunk?

Did you perhaps configure Splunk to run under a normal, non-root account (e.g. splunk), while you created the Splunk directory with root, or some other account? Such that when Splunk starts (even when starting it with sudo) it runs as the configured user which does not have permissions?

Just check what the splunk process runs under after starting it and then make sure the splunk folder is owned by that account (and respective group).

0 Karma

brentpulmans
Engager

sudo wget -O splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'
sudo tar xvzf splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz -C /opt
cd /opt/splunk/bin
sudo ./splunk start
(accept license by entering y and pressing enter)

0 Karma

p_gurav
Champion

Can you try :

sudo ./splunk start --accept-license

p_gurav
Champion

Can you check user and owner of Splunk directory?

0 Karma

brentpulmans
Engager

Uid: 506/UNKNOWN

0 Karma

p_gurav
Champion

Can you try:

chown -R root:root /opt/splunk
0 Karma

brentpulmans
Engager

This is what I'm getting now:

CLI

0 Karma

mayurr98
Super Champion

can you try this

sudo ./splunk start --accept-license ?

brentpulmans
Engager

When using --accept-license, i receive two more warnings unfortunately:

Warning: cannot create "opt/splunk/var/log/splunk"

Warning: cannot create "opt/splunk/var/log/introspection"
Warning: cannot create "opt/splunk/etc/licenses/download-trial"

0 Karma

mayurr98
Super Champion

Well, given permissions to this folder?

0 Karma

brentpulmans
Engager

Yes, indeed

0 Karma

mayurr98
Super Champion

As you have installed it in VM, at the splunk mount point do you have read/write access to splunk folder?

0 Karma

brentpulmans
Engager

I just checked it, and i indeed have read, write and execute rights.

0 Karma

p_gurav
Champion

What command you are using to install splunk?

0 Karma

brentpulmans
Engager

I followed all commands from the video Splunk provides: https://www.splunk.com/en_us/download/splunk-enterprise/thank-you-enterprise.html

First of all
sudo wget -O splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'

Next I renamed it to make it easier to recognize:
mv splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz splunk.tgz

0 Karma

brentpulmans
Engager

I first downloaded everything:

sudo wget -O splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'

Next, I renamed the file splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz to splunk.tgz using mv splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz splunk.tgz

These were the next commands:
sudo tar xvzf splunk.tgz -C /opt
cd /opt/splunk/bin
sudo ./splunk start

I followed the video which you get after downloading: https://www.splunk.com/en_us/download/splunk-enterprise/thank-you-enterprise.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...