Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AWS MarketPlace SPLUNK instance type upgrade

lorezyra
Explorer
‎03-15-2019 02:16 AM

I created an instance from the marketplace and later decided to change the instance type.
When I stopped the instance, I know that AWS will delete the ephemeral storage. I never configured SPLUNK to use it.
However, after the instance upgrade (from c5d.2xlarge to c5d.4xlarge), the SPLUNKd service fails to start.

What are the next recommended steps to get SPLUNK running again?
I'm not finding anything useful in /opt/splunk/var/log/splunk/splunkd.log ...

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-15-2019 08:55 AM

if you run /opt/splunk/bin/splunk restart on the CLI does it give you any information about the startup progress. Do you see any errors?

Did you originally run Splunk enable boot-start.

Finally, what version of Splunk, and is it systemd?

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-15-2019 08:55 AM

if you run /opt/splunk/bin/splunk restart on the CLI does it give you any information about the startup progress. Do you see any errors?

Did you originally run Splunk enable boot-start.

Finally, what version of Splunk, and is it systemd?

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

lorezyra
Explorer
‎03-16-2019 03:46 AM

Using MarketPlace SPLUNK Enterprise (core) 7.2.0

Splunk status initially spat error about splunkd not running and hung on killing the child processes. After rebooting the server, splunk status then complained about permission denied for the config files.
Found the config files were set to root:root. So, I chown splunk:splunk -R /opt/splunkand reboot the server again. Then everything came back up!

So, my question now: Why did I need to do all that?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-16-2019 05:10 AM

If you ran Splunk as root by mistake, it may have changed the permissions on the folders, then later when you run it as the Splunk user, it can’t access the files.

It’s easily done.

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...