Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

Start and stop Splunk Enterprise

This topic provides brief instructions for starting and stopping Splunk Enterprise.

Start Splunk Enterprise on Windows

On Windows, Splunk Enterprise installs by default into C:\Program Files\Splunk. Many examples in the Splunk documentation use $SPLUNK_HOME to indicate the Splunk installation directory. You can replace the string $SPLUNK_HOME (and the Windows variant %SPLUNK_HOME%) with C:\Program Files\Splunk if you installed Splunk Enterprise into the default directory.

Splunk Enterprise installs with two services, splunkd and splunkweb. In normal operation, only splunkd runs, handling all Splunk Enterprise operations, including the Splunk Web interface. To change this, you must put Splunk Enterprise in legacy mode. Read Start Splunk Enterprise on Windows in legacy mode.

You can start and stop Splunk on Windows in one of the following ways:

1. Start and stop Splunk Enterprise processes via the Windows Services control panel (accessible from Start -> Control Panel -> Administrative Tools -> Services)

  • Server daemon and Web interface: splunkd
  • Web interface (in legacy mode only): splunkweb. In normal operation, this service starts, then immediately quits when it receives a start request.

2. Start and stop Splunk Enterprise services from a command prompt by using the NET START <service> or NET STOP <service> commands:

  • Server daemon and Web interface: splunkd
  • Web interface (in legacy mode only): splunkweb. In normal operation, this service starts, then immediately quits when it receives a start request.

3. Start, stop, or restart both processes at once by going to %SPLUNK_HOME%\bin and typing

> splunk [start|stop|restart]

Start Splunk Enterprise on Windows in legacy mode

If you want run Splunk Enterprise in legacy mode, where splunkd and splunkweb both run, you must change a configuration parameter.

Important: Do not run Splunk Web in legacy mode permanently. Use legacy mode to temporarily work around issues introduced by the new integration of the user interface with the main splunkd service. Once you correct the issues, return Splunk Web to normal mode as soon as possible.

To put Splunk Enterprise in legacy mode:

1. From a command prompt, go to %SPLUNK_HOME%\etc\system\local.

2. Edit %SPLUNK_HOME%\etc\system\local\web.conf, or create a new file named web.conf in %SPLUNK_HOME%\etc\system\local if one does not already exist. See How to edit a configuration file.

3. In web.conf, set the appserverPorts and httpport attributes as follows:

[settings]
appServerPorts = 0
httpport = 8000

4. Save the file and close it.

5. Restart Splunk Enterprise. The splunkd and splunkweb services start and remain running.

6. Log into Splunk Enterprise by browsing to http://<server name>:<httpport> and entering your credentials.

To restore normal Splunk Enterprise operations, edit %SPLUNK_HOME%\etc\system\local\web.conf to remove the appServerPorts and httpport attributes.

Start Splunk Enterprise on UNIX

Splunk Enterprise installs with one process on *nix, splunkd. In normal operation, only splunkd runs, handling all Splunk Enterprise operations, including the Splunk Web interface. To change this, you must put Splunk Enterprise in legacy mode. See "Start Splunk Enterprise on Unix in legacy mode."

Start Splunk Enterprise

From a shell prompt on the Splunk Enterprise server host, run this command:

# splunk start

Note: If you have configured Splunk Enterprise to start at boot time, you should start it using the service command. This ensures that the user configured in the init.d script starts the software.

# service splunk start

This starts splunkd (indexer and the Splunk Web interface).

To start them individually, type:

# splunk start splunkd

or

(in legacy mode only) # splunk start splunkweb

Note: If either the startwebserver attribute is disabled, or the appServerPorts attribute is set to anything other than 0 in web.conf, then manually starting splunkweb does not do anything. The splunkweb process will not start in either case. See Start Splunk Enterprise on Unix in legacy mode."

To restart Splunk Enterprise (splunkd or splunkweb) type:

# splunk restart

# splunk restart splunkd

(in legacy mode only) # splunk restart splunkweb

Start Splunk Enterprise on Unix in legacy mode

If you want run Splunk Enterprise in such a way that splunkd and splunkweb both run, you must put Splunk Enterprise into legacy mode.

To put Splunk Enterprise in legacy mode:

1. From a shell prompt, go to $SPLUNK_HOME/etc/system/default.

2. Make a copy of web.conf and place it into $SPLUNK_HOME/etc/system/local.

3. Edit web.conf in $SPLUNK_HOME/etc/system/local.

4. In web.conf, set the appserverPorts and httpport attributes as follows:

[settings]
appServerPorts = 0
httpport = 8000

5. Save the file and close it.

6. Restart Splunk Enterprise (see "Start Splunk Enterprise on Unix"). The splunkd and splunkweb services start and remain running.

7. Log into Splunk Enterprise by browsing to http://<server name>:<httpport> and entering your credentials.

To restore normal Splunk Enterprise operations: edit %SPLUNK_HOME%\etc\system\local\web.conf and remove the appServerPorts and httpport attributes.

Stop Splunk Enterprise

To shut down Splunk Enterprise, run this command:

# splunk stop

To stop splunkd and Splunk Web individually, type:

# splunk stop splunkd

or

(in legacy mode only) # splunk stop splunkweb

Check if Splunk is running

To check if Splunk Enterprise is running, type this command at the shell prompt on the server host:

# splunk status

You should see this output:

splunkd is running (PID: 3162).
splunk helpers are running (PIDs: 3164).

If Splunk Enterprise runs in legacy mode, you will see an additional line in the output:

splunkweb is running (PID: 3216).

Note: On Unix systems, you must be logged in as the user who runs Splunk Enterprise to run the splunk status command. Other users cannot read the necessary files to report status correctly.

If splunk status decides that the service is running it will return the status code 0, or success. If splunk status determines that the service is not running it will return the Linux Standard Base value for a non-running service, 3. Other values likely indicate splunk status has encountered an error.


You can also use ps to check for running Splunk Enterprise processes:

# ps aux | grep splunk | grep -v grep

Solaris users should use the -ef arguments to ps instead of aux:

# ps -ef | grep splunk | grep -v grep

Restart Splunk Enterprise from Splunk Web

You can also restart Splunk from Splunk Web:

1. Navigate to System > Server controls.

2. Click Restart Splunk.

This will restart the splunkd and (in legacy mode only) the splunkweb processes.

PREVIOUS
Customize the CLI login banner
  NEXT
Configure Splunk to start at boot time

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters