Splunk® Enterprise

Admin Manual

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
Download topic as PDF

Configure Splunk to start at boot time

On Windows, Splunk starts by default at machine startup. To disable this, see "Disable boot-start on Windows" at the end of this topic.

On *nix platforms, you must configure Splunk to start at boot time.

Enable boot-start on *nix platforms

Splunk provides a utility that updates your system boot configuration so that Splunk starts when the system boots up. This utility creates a suitable init script (or makes a similar configuration change, depending on your OS).

As root, run:

$SPLUNK_HOME/bin/splunk enable boot-start

If you don't start Splunk as root, you can pass in the -user parameter to specify which user to start Splunk as. For example, if Splunk runs as the user bob, then as root you would run:

$SPLUNK_HOME/bin/splunk enable boot-start -user bob

If you want to stop Splunk from running at system startup time, run:

$SPLUNK_HOME/bin/splunk disable boot-start

More information is available in $SPLUNK_HOME/etc/init.d/README and if you type help boot-start from the command line.

Note for Mac users

Splunk automatically creates a script and configuration file in the directory: /System/Library/StartupItems. This script is run at system start, and automatically stops Splunk at system shutdown.

Note: If you are using a Mac OS, you must have root level permissions (or use sudo). You need administrator access to use sudo.


Enable Splunk to start at system start up on Mac OS using:

just the CLI:

./splunk enable boot-start

the CLI with sudo:

sudo ./splunk enable boot-start

Disable boot-start on Windows

By default, Splunk starts automatically when you start your Windows machine. You can configure the Splunk processes (splunkd and splunkweb) to start manually from the Windows Services control panel.

Start and stop Splunk
Install your license

This documentation applies to the following versions of Splunk® Enterprise:


It would be great to clean out the old comments here - or at least to tag them with the relevant version. It looks like many of these go back to Splunk 4.3.x
If you are a reader of these comments, please note the dates!

Lguinn, Splunker
July 6, 2016

I believe the Mac section of this document needs to be updated. The following quote is no longer true,
"Splunk automatically creates a script and configuration file in the directory: /System/Library/StartupItems."

This script is now placed in /Library/LaunchAgents/. Which is good because StartupItems is deprecated. Here is a quote from my CLI:
"# ./splunk enable boot-start
Init script installed at /Library/LaunchAgents//com.splunk.plist.
Init script is configured to run at boot."

May 20, 2016

One problem with Splunk 6.3.3 is that both splunkforwarder and splunk server will create an init script with the same name so on *nix machines if you run:
/opt/splunkforwarder/bin/splunk enable boot-start -user splunk
and then
/opt/splunk/bin/splunk enable boot-start -user splunk
The init script will overwrite the previous one. It seems like it would be an easy fix to just rename the init script the forwarder generates to "splunkfowarder"

February 11, 2016

Hi Ziaunys,

The Splunk binary has logic to install the boot script files based on the host it is on. This means inclusion of those files is unnecessary. In fact, if we did include the files, they would likely cause more problems than they solve.

The same goes with systemd unit files. We do not yet have support for systemd built in, but when we do, it will be automatic in the same way we support init.d, and be based on the host on which you installed the software.

Malmoore, Splunker
February 10, 2016

It seems like it would make more sense to distribute the init scripts in packages (for systems with Splunk provided packages). Also, in the newer deb and rpm packages it would be nice if they shipped with systemd unit files.

February 9, 2016

I had a successfully running splunk implementation, but now I have run this command (to enable boot-start for user 'splunk') and get permission denied and file unreadable for root. I have disabled boot-start and still cannot check the status or start:
Checking prerequisites...
Cannot open file=/opt/splunk/etc/system/local/server.conf for parsing: Permission denied
Cannot create username mapping file: /opt/splunk/etc/users/users.ini: Permission denied
Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
Error opening username mapping file: /opt/splunk/etc/users/users.ini
Cannot initialize: /opt/splunk/etc/apps/search/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/learned/metadata/local.meta: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkweb.pid" unreadable.: Permission denied

April 27, 2015

@Marcelin:<br /><br />Hi. Octavio here, with Splunk Support.<br /><br />I am very sorry that you are experiencing serious difficulties setting up Splunk on your system. While I haven't heard yet of an issue where splunk enable boot-start" affected the ability of the host operating system to boot up, this is an issue that should be fully explored.<br /><br />If you have an Enterprise Support contract, I would like to encourage you to open a case with Splunk Support @ http://www.splunk.com/page/sso_redirect?type=portal to have this issue investigated.<br /><br />Please make sure to include details about:<br />* The steps that were taken to lead to the operating system corruption.<br />* The errors reported by the operating system during the boot sequence.<br />* Any other information that you may have acquired during a post-mortem investigation of the issue and that led you to determine that "splunk enable boot-start" is accountable for this issue.

September 29, 2014

Don't even think of doing this! The changes made by "splunk enable boot-start" left us with a corrupted, unbootable Amazon EC2 instance. Even after detaching the root volume, attaching it to a different instance, and removing splunk startup script references from /etc/init.d and /etc/rc*.d , the root volume could not be restored to bootable condition.<br /><br />I should add that the $SPLUNK_HOME/etc/init.d/README file is deprecated. It says that the splunk CLI will make whatever configuration changes are necessary for a given operating system, but does not document the potential changes.<br /><br />This will be our third time installing Splunk. The second time was due to the disappearance of the username and password fields in Splunk Web (documented elsewhere in the knowledge base, with no official solution and the user-contributed solutions ineffective).

September 26, 2014

@Azul If you are having difficulties, possibly your best point of reference is to search http://answers.splunk.com (Splunkbase Answers) as the comment instructions themselves suggest.

October 21, 2013

Thanks Malmoore for the feedback.<br /><br />While I was loging with user root, I executed the commands:<br /><br />[root@myserver bin]# ./splunk enable boot-start<br />Init script installed at /etc/init.d/splunk.<br />Init script is *not* configured to run at boot.<br /><br />[root@myserver bin]# chkconfig --list | grep splunk<br />splunk 0:desactivado 1:desactivado 2:activo 3:activo 4:activo 5:activo 6:desactivado

October 18, 2013

Hi Azul,<br /><br />It's actually saying "Init script is *not* configured to run at boot"?<br /><br />This seems like a permissions issue. Run 'splunk enable boot-start' again, as root, then run 'chkconfig --list | grep splunk' and see if anything comes back. If nothing comes back, then you don't have enough permissions to install the boot enable scripts.

October 17, 2013

I have the out: <br />"Init script installed at /etc/init.d/splunk.<br />Init script is not configured to run at boot."<br /><br />I used #sudo su, #sudo -E ..., #... -user root, #... -user splunk<br />But nothing work ... did someone have the same problem?

October 16, 2013

NOTE: If trying to run this command as non-root user (user123 say), you will need to run sudo with the -E option:<br /><br />[user123] $ sudo -E splunk enable boot-start -user user123<br /><br />The -E option will prevent errors 'Could not determine $SPLUNK_HOME' or 'Could not find chkconfig', even when your environment has them. See man sudo for more details.

Rrizvi splunk, Splunker
December 22, 2011

Correct me if I'm wrong, but if sestatus returns SELinux disabled, you don't have to worry about creating the /etc/sysconfig/splunk file with those parameters, yes?

September 23, 2011

You should only use the SPLUNK_IGNORE_SELINUX variable if you have previously run the following command to set SELIUX correctly <br /><br />chcon -c -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null

October 8, 2010

i also think a one liner of:<br />export SPLUNK_IGNORE_SELINUX=1<br /><br />should do the trick.

August 31, 2010

thank you, Rohare!

August 16, 2010

To get SPLUNK_IGNORE_SELINUX in the environment create file "/etc/sysconfig/splunk" with the following contents:<br /><br />SPLUNK_IGNORE_SELINUX=1<br />export SPLUNK_IGNORE_SELINUX

August 15, 2010

The generated splunk startup script fails to start splunk because the SPLUNK_IGNORE_SELINUX environment variable is not set.<br /><br />How does add the variable to the environment. I tried adding an export to the startup script, but that did not work.

August 15, 2010

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters