For a project in our company, I would like to test whether Splunk would be a good choice. I downloaded the free trial and tried to start it, but after the License Agreement is shown, I get the following error after entering 'y':
Warning: cannot create "opt/splunk/etc/licenses/download-trial"
I am using an Ubuntu 16.04 server. For testing, I work with a virtual machine. The command I used to start Splunk is the following: sudo ./splunk start
What might be wrong?
Thanks for your help!
The tar file for Splunk uses a user with userid #506 if I recall correctly, and that UID doesn't exist on your system. At least, it's never existed on any of MY systems. 🙂
You can see this if you
cd /opt
ls -l
When you'll do that, you'll see that the user listed isn't valid and shows a number instead of a name. (If you `ls -l in another folder you'll see real names for things).
The docs are missing a step. Since you are running as root (which is not ideal, but it will work well enough in a test environment), you should be able to add one little step in the middle.
sudo tar xvzf splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz -C /opt
chown -R root:root /opt/splunk
cd /opt/splunk/bin
sudo ./splunk start
To be honest, I don't really know if user:group root:root is really correct, you may want root:adm or something, because I've never installed as root for security reasons. It probably won't matter much, but I would suggest looking at some other system binaries owned by root and seeing what user:group they're in and mimic that for Splunk.
Happy Splunking!
-Rich
Same just happened to me, I'm a Cybersecurity student, running Splunk in a VM for my digital forensics course. I just used the command "sudo ./splunk start" and I got past the license agreement.
The tar file for Splunk uses a user with userid #506 if I recall correctly, and that UID doesn't exist on your system. At least, it's never existed on any of MY systems. 🙂
You can see this if you
cd /opt
ls -l
When you'll do that, you'll see that the user listed isn't valid and shows a number instead of a name. (If you `ls -l in another folder you'll see real names for things).
The docs are missing a step. Since you are running as root (which is not ideal, but it will work well enough in a test environment), you should be able to add one little step in the middle.
sudo tar xvzf splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz -C /opt
chown -R root:root /opt/splunk
cd /opt/splunk/bin
sudo ./splunk start
To be honest, I don't really know if user:group root:root is really correct, you may want root:adm or something, because I've never installed as root for security reasons. It probably won't matter much, but I would suggest looking at some other system binaries owned by root and seeing what user:group they're in and mimic that for Splunk.
Happy Splunking!
-Rich
Can you perhaps summarize the steps you took to install Splunk?
Did you perhaps configure Splunk to run under a normal, non-root account (e.g. splunk), while you created the Splunk directory with root, or some other account? Such that when Splunk starts (even when starting it with sudo) it runs as the configured user which does not have permissions?
Just check what the splunk process runs under after starting it and then make sure the splunk folder is owned by that account (and respective group).
sudo wget -O splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'
sudo tar xvzf splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz -C /opt
cd /opt/splunk/bin
sudo ./splunk start
(accept license by entering y and pressing enter)
Can you try :
sudo ./splunk start --accept-license
Can you check user and owner of Splunk directory?
Uid: 506/UNKNOWN
Can you try:
chown -R root:root /opt/splunk
This is what I'm getting now:
can you try this
sudo ./splunk start --accept-license
?
When using --accept-license, i receive two more warnings unfortunately:
Warning: cannot create "opt/splunk/var/log/splunk"
Warning: cannot create "opt/splunk/var/log/introspection"
Warning: cannot create "opt/splunk/etc/licenses/download-trial"
Well, given permissions to this folder?
Yes, indeed
As you have installed it in VM, at the splunk mount point do you have read/write access to splunk folder?
I just checked it, and i indeed have read, write and execute rights.
What command you are using to install splunk?
I followed all commands from the video Splunk provides: https://www.splunk.com/en_us/download/splunk-enterprise/thank-you-enterprise.html
First of all
sudo wget -O splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'
Next I renamed it to make it easier to recognize:
mv splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz splunk.tgz
I first downloaded everything:
sudo wget -O splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'
Next, I renamed the file splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz to splunk.tgz using mv splunk-7.0.3-fa31da744b51-Linux-x86_64.tgz splunk.tgz
These were the next commands:
sudo tar xvzf splunk.tgz -C /opt
cd /opt/splunk/bin
sudo ./splunk start
I followed the video which you get after downloading: https://www.splunk.com/en_us/download/splunk-enterprise/thank-you-enterprise.html