Splunk Search

How to get the "splunk" command working with Windows 2008 and UAC?

Lowell
Super Champion

This may be more of a Windows UAC question than a splunk question, but I'm guessing that others are going to be running into this too. (I don't have a lot of Win2k8 experience, so please forgive me if I'm missing something obvious.)

Whenever I try to run a "splunk" command from a Command Prompt on my Win2k8R2 box, I get prompted with a "User Account Control" dialog box:

Do you want to allow the following program to make changes to this computer?

Program name: splunk.exe
Verified publisher: Splunk Inc
File origin: Hard drive on this computer Program location: "C:\Program Files\Splunk\bin\splunk.exe" test sourcetype H:\ArchivedLogs\log_archive.log

If I say "Yes" and allow the program to run, then splunk is run in a new Command Prompt window that flashes open, and for a split second I can see some text, but then it closes down before I can read anything.

I've also tried using the runas utility, but then I get the message:

RUNAS ERROR: Unable to run - splunk test sourcetype H:\ArchivedLogs\log_archive.log
740: The requested operation requires elevation.

If you are just running splunk start or something like that, then this doesn't matter too much, but there are plenty of command that have output that I need to be able to see. (Such as "splunk test sourcetype <file>", or even a simple "splunk help")

Any help would be appreciated.


I have a couple Win2k8R2 servers setup with splunk and I've run into this issue on all of them so far. (I've tried this with various Splunk 4.1.x versions). All of these installs have splunk running as the default local SYSTEM user.

I've tried a few different runas commands with no luck (but I could be missing something). Any attempts to redirect the standard output hasn't worked either.

1 Solution

justinhart
Path Finder

When opening the command prompt, run it as Administrator. I tested this and it seems to get rid of the "Do you want to allow the following program to make changes to this computer?" box and separate cmd window.

View solution in original post

justinhart
Path Finder

When opening the command prompt, run it as Administrator. I tested this and it seems to get rid of the "Do you want to allow the following program to make changes to this computer?" box and separate cmd window.

justinhart
Path Finder

UAC is not dependent on the system groups. Essentially nothing is ran as Administrator unless you specifically tell it to.

0 Karma

Lowell
Super Champion

The migration crash seems to be related to yet another permissions issue. (I'm guessing Administrator vs SYSTEM?) But whatever, I think this is the right answer. Although, I still don't understand why this works as the "Administrator" user, but not for a user who is in the Administrator group.

0 Karma

ftk
Motivator

justinhart's solution is how I handle it in my environment as well.

0 Karma

Lowell
Super Champion

Yeah, that does get rid of the UAC stuff, but I'm being told that a new version of Splunk was installed and the upgrade process needs to be run. Unfortunately it crashes during the migration.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...