- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: Splunk reports first-time run failed!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk reports first-time run failed!
Hi Guys,
I tried to run Splunk but it gives errors as below:
[splunk@ip-172-31-10-67 bin]$ sudo ./splunk enable boot-start -user splunk --accept-license
Warning: cannot create "/opt/splunk/var/log/splunk"
Warning: cannot create "/opt/splunk/var/log/introspection"
Warning: cannot create "/opt/splunk/var/log/watchdog"
Warning: cannot create "/opt/splunk/etc/licenses/download-trial"
First-time run failed!
[splunk@ip-172-31-10-67 bin]$ sudo ./splunk start --accept-license
Warning: cannot create "/opt/splunk/var/log/splunk"
Warning: cannot create "/opt/splunk/var/log/introspection"
Warning: cannot create "/opt/splunk/var/log/watchdog"
Warning: cannot create "/opt/splunk/etc/licenses/download-trial"
How to resolve these warnings? Also is it possible to provide a response file when we run the Splunk for the first time so I do not have to type the responses thereby we can automate without manual intervention?
Please assist.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @aagashe,
it looks like a permission issue, the splunk folders and files belong to other user (or root?) or splunk is already running. It happens often if splunk installed from tgz.
Run with root privileges (change the $SPLUNK_HOME as appropriate):
sudo pkill -f splunk
sudo chown -R splunk:splunk /opt/splunk
sudo /opt/splunk/bin/splunk enable boot-start -user splunk --accept-license
sudo systemctl start splunk
The modern way to run Splunk is using systemd, so you can change it to:
sudo pkill -f splunk
sudo chown -R splunk:splunk /opt/splunk
sudo ./splunk enable boot-start -user splunk -systemd-managed 1 --accept-license
sudo systemctl start Splunkd
if you choose the last method, stick to it and start/stop splunk using "sudo systemctl" only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, how to provide username and password? When I run for the first time I have to provide username and password, I was thinking if there is a response file so that part can be automated as well.
Please guide.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@aagashe,
there are various scripts to install splunk on linux, also for an unattended install:
Additionally check this: https://docs.splunk.com/Documentation/Splunk/8.0.3/Installation/StartSplunkforthefirsttime#Start_Spl...
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
