We are trying to run Splunk Enterprise on Kubernetes. We have a Helm chart that uses the official docker image (currently 7.1.2). We are using the following env vars to initialize Splunk:
env:
- name: SPLUNK_START_ARGS
value: "--accept-license --answer-yes --seed-passwd ourpassword"
- name: SPLUNK_USER
value: root
- name: SPLUNK_ENABLE_LISTEN
value: "9997"
- name: SPLUNK_ADD
value: tcp 1514
Splunk appears to start and displays the message
Waiting for web server at http://127.0.0.1:8000 to be available..... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://container-name:8000
and then a moment later we get the message
Login failed
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
...
Stopping splunk helpers...
Done.
What login is failing? What do we need to do to correct this?
It is a known issue - https://github.com/splunk/docker-splunk/issues/62
It has a hardcoded login and password admin:changeme
, that is used for several commands, including SPLUNK_ENABLE_LISTEN
, see https://github.com/splunk/docker-splunk/blob/master/enterprise/entrypoint.sh#L103
Workarounds are:
1. use changeme
as a seed password
2. Do not use environment variables for configuration.
3. Build your own image.
4. Wait a week to see what's new is coming after .conf18 (there are will be some announcements for the docker image).
My answer should be valid for Docker image version(s): splunk/splunk:7.3.3(-redhat)
I've noticed this in entrypoint.sh and and the message during container startup which led me into "SPLUNK_PASSWORD" env. var.
then
echo "WARNING: No password ENV var. Stack may fail to provision if splunk.password is not set in ENV or a default.yml"
fi
This set of environment variables worked for me:
SPLUNK_START_ARGS: --accept-license --answer-yes
SPLUNK_ENABLE_LISTEN: 9997
SPLUNK_ADD: tcp 1514
SPLUNK_USER: root
#if custom admin password, env var required for >= 7.3.x
SPLUNK_PASSWORD: your-custom-password
It is a known issue - https://github.com/splunk/docker-splunk/issues/62
It has a hardcoded login and password admin:changeme
, that is used for several commands, including SPLUNK_ENABLE_LISTEN
, see https://github.com/splunk/docker-splunk/blob/master/enterprise/entrypoint.sh#L103
Workarounds are:
1. use changeme
as a seed password
2. Do not use environment variables for configuration.
3. Build your own image.
4. Wait a week to see what's new is coming after .conf18 (there are will be some announcements for the docker image).
I changed my config to
env:
- name: SPLUNK_START_ARGS
value: "--accept-license --answer-yes --seed-passwd changeme"
- name: SPLUNK_USER
value: splunk
- name: SPLUNK_ENABLE_LISTEN
value: "9997"
- name: SPLUNK_ADD
value: tcp 1514
and everything started working
Hey@ajna,
Can you try checking the internal logs of splunk for any error.
The path for it is: $SPLUNK_HOME$/var/log/splunk
You need to check splunkd.log
I found this in the logs
AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin