Splunk server unable to start after upgrade to 6.2...

hanshen · ‎04-20-2015

We have splunk dev server upgrade to 6.2.2., using splunk account to start and failed, message below:

[servername:/opt/splunk/bin]$ splunk start

Splunk> The IT Search Engine.

Checking prerequisites...
Checking http port [443]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
execve: Permission denied
while running command /usr/bin/startsrc
Splunk boot-start is enabled. please use /usr/bin/startsrc -s splunkd to start splunk

[servername:/opt/splunk/bin]$

root can start it use /usr/bin/startsrc -s splunkd to start splunk, however we would like to use splunk account to start/stop server.

What permission should splunk account have to start/stop splunk server on AIX?

hanshen · ‎04-21-2015

This is a bug in 6.2.2 in AIX per Splunk support. Defect SPL-96141, will be fixed for 6.2.3.

hanshen · ‎04-20-2015

Is it new in 6.2.2? our prod is using 443 which is 5.x without this issue.

harsmarvania57 · ‎04-20-2015

Check this it might help you http://answers.splunk.com/answers/155288/when-trying-to-start-splunk-im-getting-an-execve-permission...

hanshen · ‎04-20-2015

Checked there is not the line below in the /etc/inittab file:
$SPLUNK_HOME/bin/splunk enable boot-start

The starting message show: Splunk boot-start is enabled.
So where to setup Splunk boot-start is enabled besides /etc/inittab file?

hanshen · ‎04-20-2015

We have root run
/opt/splunk/bin/splunk enable boot-start -user splunk
0513-071 The splunkd Subsystem has been added.
0513-071 The splunkweb Subsystem has been added.
SRC subsystem group installed.
SRC subsystem group is configured to run at boot.

But still unluck to run as splunk user:

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking http port [443]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
execve: Permission denied
while running command /usr/bin/startsrc
Splunk boot-start is enabled. please use /usr/bin/startsrc -s splunkd to start splunk

harsmarvania57 · ‎04-20-2015

You have given webport as 443 and < 1024 port will be bind by root user only. If you want to start splunk as splunk user then use > 1024 port for splunk web.

Raghav2384 · ‎04-20-2015

Trying owning /opt/splunk for splunk user and splunk group and try

hanshen · ‎04-20-2015

Yes, this has been verified...

Splunk server unable to start after upgrade to 6.2.2

We have splunk dev server upgrade to 6.2.2., using splunk account to start and failed, message below:

[servername:/opt/splunk/bin]$

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases