Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk forwarder starts, then throws an error saying splunk hasn't started.

bcurtiss
Engager
‎01-07-2013 12:50 PM

I'm trying to get a splunk forwarder running on a linux box, but when I try to tell the forwarder to forward to a specific indexer, it throws an error saying that Splunk is not running. Anyone ever have this issue? I'm trying to use version 4.3.5.

This is what I tried to do:

[root:/opt/splunkforwarder/bin]# ./splunk start

Splunk> Finding your faults, just like mom.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos...
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
[ OK ]
Done.[root:/opt/splunkforwarder/bin]# ./splunk add localhost myindexer.net:9997
Splunk is not running, and it must be for this operation. To start splunk, run "splunk start".
[root:/opt/splunkforwarder/bin]#

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bcurtiss
Engager
‎01-08-2013 11:26 AM

Thanks for the responses, but the problem was actually just because of a crappy firewall rule. I ended up running an strace and saw that it was failing on connect(); I fixed the rule and everything is fine now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bcurtiss
Engager
‎01-08-2013 11:26 AM

Thanks for the responses, but the problem was actually just because of a crappy firewall rule. I ended up running an strace and saw that it was failing on connect(); I fixed the rule and everything is fine now.

0 Karma
Reply
Solved! Jump to solution

tbarnard
Explorer
‎01-08-2013 10:17 AM

I've seen that behavior before when there old PID file is stuck. With splunk stopped check and see if /opt/splunkforwarder/var/run/splunk/splunkd.pid is still there and delete it if it is. Then start splunk again.

0 Karma
Reply
Solved! Jump to solution

tbarnard
Explorer
‎01-07-2013 04:18 PM

Have you started splunkforwarder before? The first time splunk starts you will need to accept it's license.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-07-2013 02:04 PM

try ./splunk status to see what is the process doing.
and check the internal logs in $SPLUNK_HOME/var/log/splunk/splunkd.log for errors.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...