Splunk® Enterprise

Admin Manual

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Configure Splunk Enterprise to start at boot time

On most operating systems, you can configure Splunk software to start running automatically after the machine and operating system boots. This reduces interruption of both sending and receiving data. All on-premises versions of Splunk software can be configured this way. On *nix platforms, you must manually configure the software to start at boot time after you install it.

You can configure the software as either the root user, or as a regular user with the sudo command. Nearly all distributions include sudo but if yours does not have it, you should consult the help for your distribution to download, install, and configure it.

Enable boot-start on the Windows platform

On Windows, the installer configures Splunk software to start at machine startup. To disable this, see Disable boot-start on Windows at the end of this topic.

Enable boot-start on *nix platforms

Splunk provides a utility that updates your system boot configuration so that the software starts when the system boots up. This utility creates an init script (or makes a similar configuration change, depending on your OS).

  1. Log into the machine that you have installed Splunk software on and that you want to configure to run at boot time.
  2. Become the root user if able. Otherwise, you must run the following commands with the sudo utility.
  3. Run the following command: 
    [sudo] $SPLUNK_HOME/bin/splunk enable boot-start

The init.d boot-start script is not compatible with RHEL 8 and higher. You can instead configure systemd to manage boot start and run splunkd as a service. For more information, see Enable boot start on machines that run systemd.

Enable boot-start as a non-root user

If you do not run Splunk software as the root user, you can pass in the -user parameter to specify the Splunk software user. The user that you want to run Splunk software as must already exist. If it does not, then create the user prior to running this procedure.

The following procedure configures Splunk software to start at boot time as the user 'bob'. You can substitute 'bob' with the user that Splunk software should use to start at boot time on the local machine.

  1. Log into the machine.
  2. Become the root user.
  3. Run the following command:
    [sudo] $SPLUNK_HOME/bin/splunk enable boot-start -user bob
  4. Change the ownership of the Splunk installation directory and all its files to user bob: 
    [sudo] chown -R bob $SPLUNK_HOME
  5. Using a text editor, open /etc/init.d/splunk for editing.
  6. Update the service file to add the service user, and enclose the command in single quotes. Note the addition of the user field and {USER} variables su - ${USER} -c, and the placement of single quotes to encapsulate only the service command. The init.d service file will have minor differences based upon the *nix distribution and version. An example is provided in the "After" table.
    Before 
    RETVAL=0

. /etc/init.d/functions

splunk_start() {
  echo Starting Splunk...
  "$SPLUNK_HOME/bin/splunk" start --no-prompt --answer-yes
  RETVAL=$?
  [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk
}
splunk_stop() {
  echo Stopping Splunk...
 "$SPLUNK_HOME/bin/splunk" stop
  RETVAL=$?
  [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/splunk
}
splunk_restart() {
  echo Restarting Splunk...
  "$SPLUNK_HOME/bin/splunk" restart
  RETVAL=$?
  [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk
}
splunk_status() {
  echo Splunk status:
  "$SPLUNK_HOME/bin/splunk" status
  RETVAL=$?
}
case "$1" in
    After 
    RETVAL=0
USER=bob

. /etc/init.d/functions

splunk_start() {
  echo Starting Splunk...
  su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" start --no-prompt --answer-yes'
  RETVAL=$?
  [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk
}
splunk_stop() {
  echo Stopping Splunk...
  su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" stop'
  RETVAL=$?
  [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/splunk
}
splunk_restart() {
  echo Restarting Splunk...
  su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" restart'
  RETVAL=$?
  [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk
}
splunk_status() {
  echo Splunk status:
  su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" status'
  RETVAL=$?
}
case "$1" in

    Confirm that each splunk command has single quotes around it, and is preceded with the service user substitution.

  7. Save the file and close it.

Changes take effect the next time you boot the machine.

Enable boot-start on machines that run systemd

On Linux machines that use the systemd system manager, you can configure Splunk Enterprise to let systemd control it. By default, Splunk Enterprise configures itself to run as a init-managed service, and does not use systemd.

  1. Log into the machine that you have installed Splunk software on and that you want to configure to run at boot time.
  2. Become the root user if able. Otherwise, you must run the following commands with the sudo utility.
  3. Run the following command: 
    [sudo] $SPLUNK_HOME/bin/splunk enable boot-start -user bob -systemd-managed 1

See Run Splunk Enterprise as a systemd service for additional information on Splunk Enterprise and systemd.

Enable boot-start on machines that run AIX

These instructions work for both Splunk Enterprise and the AIX version of the Splunk universal forwarder. Splunk does not offer a version of Splunk Enterprise for AIX for versions later than 6.3.0.

The AIX version of Splunk does not register itself to auto-start on machine boot. You can configure it to use the System Resource Controller (SRC) to handle boot-time startup.

When you enable boot start on an AIX system, Splunk software interacts with the AIX SRC to enable automatic starting and stopping of Splunk services.

mkssys -G splunk -s splunkd -p <path to splunkd> -u <splunk user> -a _internal_exec_splunkd -S -n 2 -f 9
mkssys -G splunk -s splunkweb -p <path to python> -u <splunk user> -a _internal_exec_splunkweb -S -n 15 -f 9 (on Splunk Enterprise only)

When you enable automatic boot start, the SRC handles the run state of the Splunk Enterprise service. You must use a different command to start and stop Splunk software manually.

  • /usr/bin/startsrc -s splunkd to start Splunk software manually.
  • /usr/bin/stopsrc -s splunkd to stop Splunk software manually.

If you try to start and stop the software with the ./splunk [start|stop] method from the $SPLUNK_HOME directory, the SRC catches the attempt and displays the following message:

Splunk boot-start is enabled. Please use /usr/bin/[startsrc|stopsrc] -s splunkd to [start|stop] Splunk.

To prevent this message from occurring and restore the ability to start and stop Splunk Enterprise from the $SPLUNK_HOME directory, disable boot start:

[sudo] ./splunk disable boot-start
  • For more information on the mkssys command line arguments, see Mkssys command on the IBM pSeries and AIX Information Center website.
  • For more information on the SRC, see System resource controller on the IBM Knowledge Center website.

Enable boot-start on AIX to run Splunk Software as a root user

  1. Log into the AIX machine.
  2. Become the root user, if able. Otherwise, you must prepend sudo to the following command examples. If you do not have sudo on your AIX instance, you must download, install, and configure it.
  3. Change to the Splunk bin directory.
  4. Enable boot start:
    [sudo] ./splunk enable boot-start

Enable boot-start on AIX to run Splunk software as a non-root user

  1. Log into the AIX machine.
  2. Become the root user, if able. Otherwise, you must prepend sudo to the following command examples. If you do not have sudo on your AIX instance, you must download, install, and configure it.
  3. Create the user account that the Splunk software should run as. For example, if the splunk user should run the software: 
    [sudo] mkuser splunk
[sudo] chown -R splunk <Splunk directory>
  4. Change to the Splunk bin directory.
  5. Enable boot start and specify the -user flag with the user that the software should run as.
    [sudo] ./splunk enable boot-start -user <user that Splunk should run as>

Enable boot-start on MacOS

Splunk software automatically creates a script and configuration file in the directory /System/Library/StartupItems on the volume that booted your Mac. This script runs when your Mac starts, and automatically stops Splunk when you shut down your Mac.

If you want, you can still enable boot-start manually. You must either have root level permissions or use sudo to run the following command. You must have at least administrator access to your Mac to use sudo. If you installed Splunk software in a different directory, replace the example below with your instance location.

  1. Log into your machine.
  2. Open the Terminal app.
  3. Change to the Splunk bin directory:
    cd /Applications/Splunk/bin
  4. Enable boot start:
    [sudo] ./splunk enable boot-start

Enable boot-start on MacOS as a non-root user

  1. Log into your machine.
  2. Open the Terminal app.
  3. Change to the Splunk bin directory:
    cd /Applications/Splunk/bin
  4. Enable boot start:
    [sudo] ./splunk enable boot-start -user <user Splunk Enterprise should run as>
  5. Open /Library/LaunchItems/com.splunk.plist for editing.
  6. Locate the line that begins with <dict>.
  7. Immediately after this line, add the following block of code:
        <key>UserName</key>
    <string><user Splunk Enterprise should run as></string>
  8. Save the file and close it.

Changes take effect the next time you boot the machine.

Disable boot-start

If you want to stop Splunk software from running at machine boot time, run: 

[sudo] $SPLUNK_HOME/bin/splunk disable boot-start

Disable boot-start on Windows

By default, Splunk starts automatically when you start your Windows machine. You can configure the Splunk processes (splunkd and splunkweb) to start manually from the Windows Services control panel.

Get more help on boot-start

To learn more about boot-start and how to enable it, see the following:

  • The file $SPLUNK_HOME/etc/init.d/README
  • The output from the $SPLUNK_HOME/bin/splunk help boot-start command on your Splunk software instance.
Last modified on 26 March, 2024
Start and stop Splunk Enterprise   Run Splunk Enterprise as a systemd service

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters