Deployment Architecture

With Red Hat Enterprise Linux(RHEL) 7.5 and a Splunk Forwarder, what is the command to start the Splunk service?

allenstg
New Member

What is the command to start the Splunk service? Or better, what is the Splunk service name?

Tried splunk and splunkd

This is RHEL 7.5 and Splunk Fowarder splunkforwarder-7.1.3-51d9cac7b837-linux-2.6-x86_64.rpm

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It depends on your environment. To start Splunk manually, use $SPLUNK_HOME/bin/splunk start.

To start Splunk automatically, you must enable boot-start. Run $SPLUNK_HOME/bin/splunk enable boot-start as root to have the forwarder run as root every time the server restarts. This is not optimal, however, as running non-OS processes as root could pose a security risk. A better option is to edit /etc/init.d/splunk to start Splunk as a different user.

Some systems use systemctl to start services at boot time. Talk to your Linix admin about that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on your environment. To start Splunk manually, use $SPLUNK_HOME/bin/splunk start.

To start Splunk automatically, you must enable boot-start. Run $SPLUNK_HOME/bin/splunk enable boot-start as root to have the forwarder run as root every time the server restarts. This is not optimal, however, as running non-OS processes as root could pose a security risk. A better option is to edit /etc/init.d/splunk to start Splunk as a different user.

Some systems use systemctl to start services at boot time. Talk to your Linix admin about that.

---
If this reply helps you, Karma would be appreciated.
0 Karma

chrisbalmer
Engager

$SPLUNK_HOME/bin/splunk enable boot-start -user $user will configure the Splunk service to run as $user.

0 Karma

gjanders
SplunkTrust
SplunkTrust

As an alternative modify /opt/splunk/etc/splunk-launch.conf and set the OS user parameter in there to splunk
Or follow the steps in Configure Splunk Enterprise to start at boot time

0 Karma

allenstg
New Member

Hi Rich, that did help and I was able to get to that folder. I will try to use the user splunk splunk:

I'm trying to follow the next steps and get it to contact my Splunk indexer.

I added the FW command
Step 5. firewall-cmd --zone=public --add-port=8089/tcp –permanent
Step 5. firewall-cmd --zone=public --add-port=9998/tcp –permanent
Step 6. firewall-cmd –reload

I use a splunk deploy app and

These "apps" are installed into /etc/apps (reverse the slashes if on windows, but still the same path). A properly configured forwarder will have the following apps installed:

use_splunkdeploy  (installs config required to talk to the deployment server)

I've edited my inputs.conf to add index. hostname was already there.
I've restarted splunk but I'm not getting any traffic or the fwd_to_cluster_ssl folder not being created. I'm checking FW logs and not even seeing the block. What should I check next?

Splunk Service is running,
input.conf updated
config files uploaded
Local FW ports opened

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So now you're doing more than just starting Splunk.
You've opened port 9998 in your firewall. Is that the port you've configured on both the forwarder and indexer? Is the indexer set to receive data?
What is the fwd_to_cluster_ssl folder? It's not a Splunk folder so the forwarder will not create it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...