Admin Manual


Configure Splunk to start at boot time

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

Configure Splunk to start at boot time

On Windows, Splunk starts by default at machine startup. To disable this, see "Disable boot-start on Windows" at the end of this topic.

On *nix platforms, you must configure Splunk to start at boot time.

Enable boot-start on *nix platforms

Splunk provides a utility that updates your system boot configuration so that Splunk starts when the system boots up. This utility creates a suitable init script (or makes a similar configuration change, depending on your OS).

As root, run:

$SPLUNK_HOME/bin/splunk enable boot-start

If you don't start Splunk as root, you can pass in the -user parameter to specify which user to start Splunk as. For example, if Splunk runs as the user bob, then as root you would run:

$SPLUNK_HOME/bin/splunk enable boot-start -user bob

If you want to stop Splunk from running at system startup time, run:

$SPLUNK_HOME/bin/splunk disable boot-start

More information is available in $SPLUNK_HOME/etc/init.d/README and if you type help boot-start from the command line.

Note for Mac users

Splunk automatically creates a script and configuration file in the directory: /System/Library/StartupItems. This script is run at system start, and automatically stops Splunk at system shutdown.

Note: If you are using a Mac OS, you must have root level permissions (or use sudo). You need administrator access to use sudo.


Enable Splunk to start at system start up on Mac OS using:

just the CLI:

./splunk enable boot-start

the CLI with sudo:

sudo ./splunk enable boot-start

Disable boot-start on Windows

By default, Splunk starts automatically when you start your Windows machine. You can configure the Splunk processes (splunkd and splunkweb) to start manually from the Windows Services control panel.

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 , 5.0.12 , 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.0.7 , 6.0.8 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.1.7 , 6.2.0 , 6.2.1 , 6.2.2 View the Article History for its revisions.


@Marcelin:<br /><br />Hi. Octavio here, with Splunk Support.<br /><br />I am very sorry that you are experiencing serious difficulties setting up Splunk on your system. While I haven't heard yet of an issue where splunk enable boot-start" affected the ability of the host operating system to boot up, this is an issue that should be fully explored.<br /><br />If you have an Enterprise Support contract, I would like to encourage you to open a case with Splunk Support @ to have this issue investigated.<br /><br />Please make sure to include details about:<br />* The steps that were taken to lead to the operating system corruption.<br />* The errors reported by the operating system during the boot sequence.<br />* Any other information that you may have acquired during a post-mortem investigation of the issue and that led you to determine that "splunk enable boot-start" is accountable for this issue.

September 29, 2014

Don't even think of doing this! The changes made by "splunk enable boot-start" left us with a corrupted, unbootable Amazon EC2 instance. Even after detaching the root volume, attaching it to a different instance, and removing splunk startup script references from /etc/init.d and /etc/rc*.d , the root volume could not be restored to bootable condition.<br /><br />I should add that the $SPLUNK_HOME/etc/init.d/README file is deprecated. It says that the splunk CLI will make whatever configuration changes are necessary for a given operating system, but does not document the potential changes.<br /><br />This will be our third time installing Splunk. The second time was due to the disappearance of the username and password fields in Splunk Web (documented elsewhere in the knowledge base, with no official solution and the user-contributed solutions ineffective).

September 26, 2014

@Azul If you are having difficulties, possibly your best point of reference is to search (Splunkbase Answers) as the comment instructions themselves suggest.

October 21, 2013

Thanks Malmoore for the feedback.<br /><br />While I was loging with user root, I executed the commands:<br /><br />[root@myserver bin]# ./splunk enable boot-start<br />Init script installed at /etc/init.d/splunk.<br />Init script is *not* configured to run at boot.<br /><br />[root@myserver bin]# chkconfig --list | grep splunk<br />splunk 0:desactivado 1:desactivado 2:activo 3:activo 4:activo 5:activo 6:desactivado

October 18, 2013

Hi Azul,<br /><br />It's actually saying "Init script is *not* configured to run at boot"?<br /><br />This seems like a permissions issue. Run 'splunk enable boot-start' again, as root, then run 'chkconfig --list | grep splunk' and see if anything comes back. If nothing comes back, then you don't have enough permissions to install the boot enable scripts.

October 17, 2013

I have the out: <br />"Init script installed at /etc/init.d/splunk.<br />Init script is not configured to run at boot."<br /><br />I used #sudo su, #sudo -E ..., #... -user root, #... -user splunk<br />But nothing work ... did someone have the same problem?

October 16, 2013

NOTE: If trying to run this command as non-root user (user123 say), you will need to run sudo with the -E option:<br /><br />[user123] $ sudo -E splunk enable boot-start -user user123<br /><br />The -E option will prevent errors 'Could not determine $SPLUNK_HOME' or 'Could not find chkconfig', even when your environment has them. See man sudo for more details.

Rrizvi splunk, Splunker
December 22, 2011

Correct me if I'm wrong, but if sestatus returns SELinux disabled, you don't have to worry about creating the /etc/sysconfig/splunk file with those parameters, yes?

September 23, 2011

You should only use the SPLUNK_IGNORE_SELINUX variable if you have previously run the following command to set SELIUX correctly <br /><br />chcon -c -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null

October 8, 2010

i also think a one liner of:<br />export SPLUNK_IGNORE_SELINUX=1<br /><br />should do the trick.

August 31, 2010

thank you, Rohare!

August 16, 2010

To get SPLUNK_IGNORE_SELINUX in the environment create file "/etc/sysconfig/splunk" with the following contents:<br /><br />SPLUNK_IGNORE_SELINUX=1<br />export SPLUNK_IGNORE_SELINUX

August 15, 2010

The generated splunk startup script fails to start splunk because the SPLUNK_IGNORE_SELINUX environment variable is not set.<br /><br />How does add the variable to the environment. I tried adding an export to the startup script, but that did not work.

August 15, 2010

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!