
Configure Splunk Enterprise to start at boot time
On most operating systems, you can configure Splunk software to start running automatically after the machine and operating system boots. This reduces interruption of both sending and receiving data. All on-premises versions of Splunk software can be configure this way. On *nix platforms, you must manually configure the software to start at boot time after you install it.
You can configure the software as either the root user, or as a regular user with the sudo
command. Nearly all distributions include sudo
but if yours does not have it, you should consult the help for your distribution to download, install, and configure it.
Enable boot-start on the Windows platform
On Windows, the installer configures Splunk software to start at machine startup. To disable this, see Disable boot-start on Windows at the end of this topic.
Enable boot-start on *nix platforms
Splunk provides a utility that updates your system boot configuration so that the software starts when the system boots up. This utility creates an init
script (or makes a similar configuration change, depending on your OS).
- Log into the machine that you have installed Splunk software on and that you want to configure to run at boot time.
- Become the root user if able. Otherwise, you must run the following commands with the
sudo
utility. - Run the following command:
[sudo] $SPLUNK_HOME/bin/splunk enable boot-start
Enable boot-start as a non-root user
If you do not run Splunk software as the root user, you can pass in the -user
parameter to specify the Splunk software user. The user that you want to run Splunk software as must already exist. If it does not, then create the user prior to running this procedure.
The following procedure configures Splunk software to start at boot time as the user 'bob'. You can substitute 'bob' with the user that Splunk software should use to start at boot time on the local machine.
- Log into the machine.
- Become the root user.
- Run the following command:
[sudo] $SPLUNK_HOME/bin/splunk enable boot-start -user bob
- Change the ownership of the Splunk installation directory and all its files to user bob:
[sudo] chown -R bob $SPLUNK_HOME
- Using a text editor, open
/etc/init.d/splunk
for editing. - Make the following changes as shown in the "After" table:
Before RETVAL=0 . /etc/init.d/functions splunk_start() { echo Starting Splunk... "$SPLUNK_HOME/bin/splunk" start --no-prompt --answer-yes RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk } splunk_stop() { echo Stopping Splunk... "$SPLUNK_HOME/bin/splunk" stop RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/splunk } splunk_restart() { echo Restarting Splunk... "$SPLUNK_HOME/bin/splunk" restart RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk } splunk_status() { echo Splunk status: "$SPLUNK_HOME/bin/splunk" status RETVAL=$? } case "$1" in
After RETVAL=0 USER=bob . /etc/init.d/functions splunk_start() { echo Starting Splunk... su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" start --no-prompt --answer-yes' RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk } splunk_stop() { echo Stopping Splunk... su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" stop' RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/splunk } splunk_restart() { echo Restarting Splunk... su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" restart' RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/splunk } splunk_status() { echo Splunk status: su - ${USER} -c '"$SPLUNK_HOME/bin/splunk" status' RETVAL=$? } case "$1" in
Confirm that each
splunk
command has single quotes around it. - Save the file and close it.
Changes take effect the next time you boot the machine.
Enable boot-start on machines that run AIX
These instructions work for both Splunk Enterprise and the AIX version of the Splunk universal forwarder. Splunk does not offer a version of Splunk Enterprise for AIX for versions later than 6.3.0.
The AIX version of Splunk does not register itself to auto-start on machine boot. You can configure it to use the System Resource Controller (SRC) to handle boot-time startup.
When you enable boot start on an AIX system, Splunk software interacts with the AIX SRC to enable automatic starting and stopping of Splunk services.
mkssys -G splunk -s splunkd -p <path to splunkd> -u <splunk user> -a _internal_exec_splunkd -S -n 2 -f 9
mkssys -G splunk -s splunkweb -p <path to python> -u <splunk user> -a _internal_exec_splunkweb -S -n 15 -f 9
(on Splunk Enterprise only)
When you enable automatic boot start, the SRC handles the run state of the Splunk Enterprise service. You must use a different command to start and stop Splunk software manually.
/usr/bin/startsrc -s splunkd
to start Splunk software manually./usr/bin/stopsrc -s splunkd
to stop Splunk software manually.
If you try to start and stop the software with the ./splunk [start|stop]
method from the $SPLUNK_HOME
directory, the SRC catches the attempt and displays the following message:
Splunk boot-start is enabled. Please use /usr/bin/[startsrc|stopsrc] -s splunkd to [start|stop] Splunk.
To prevent this message from occurring and restore the ability to start and stop Splunk Enterprise from the $SPLUNK_HOME
directory, disable boot start:
[sudo] ./splunk disable boot-start
- For more information on the
mkssys
command line arguments, see Mkssys command on the IBM pSeries and AIX Information Center website. - For more information on the SRC, see System resource controller on the IBM Knowledge Center website.
Enable boot-start on AIX to run Splunk Software as a root user
- Log into the AIX machine.
- Become the root user, if able. Otherwise, you must prepend
sudo
to the following command examples. If you do not havesudo
on your AIX instance, you must download, install, and configure it. - Change to the Splunk bin directory.
- Enable boot start:
[sudo] ./splunk enable boot-start
Enable boot-start on AIX to run Splunk software as a non-root user
- Log into the AIX machine.
- Become the root user, if able. Otherwise, you must prepend
sudo
to the following command examples. If you do not havesudo
on your AIX instance, you must download, install, and configure it. - Create the user account that the Splunk software should run as. For example, if the
splunk
user should run the software:[sudo] mkuser splunk [sudo] chown -R splunk <Splunk directory>
- Change to the Splunk bin directory.
- Enable boot start and specify the
-user
flag with the user that the software should run as.[sudo] ./splunk enable boot-start -user <user that Splunk should run as>
Enable boot-start on MacOS
Splunk software automatically creates a script and configuration file in the directory /System/Library/StartupItems
on the volume that booted your Mac. This script runs when your Mac starts, and automatically stops Splunk when you shut down your Mac.
If you want, you can still enable boot-start manually. You must either have root level permissions or use sudo
to run the following command. You must have at least administrator access to your Mac to use sudo
. If you installed Splunk software in a different directory, replace the example below with your instance location.
- Log into your machine.
- Open the Terminal app.
- Change to the Splunk bin directory:
cd /Applications/Splunk/bin
- Enable boot start:
[sudo] ./splunk enable boot-start
Enable boot-start on MacOS as a non-root user
- Log into your machine.
- Open the Terminal app.
- Change to the Splunk bin directory:
cd /Applications/Splunk/bin
- Enable boot start:
[sudo] ./splunk enable boot-start -user <user Splunk Enterprise should run as>
- Open
/Library/LaunchItems/com.splunk.plist
for editing. - Locate the line that begins with
<dict>
. - Immediately after this line, add the following block of code:
<key>UserName</key> <string><user Splunk Enterprise should run as></string>
- Save the file and close it.
Changes take effect the next time you boot the machine.
Disable boot-start
If you want to stop Splunk software from running at machine boot time, run:
[sudo] $SPLUNK_HOME/bin/splunk disable boot-start
Disable boot-start on Windows
By default, Splunk starts automatically when you start your Windows machine. You can configure the Splunk processes (splunkd
and splunkweb
) to start manually from the Windows Services control panel.
Get more help on boot-start
To learn more about boot-start and how to enable it, see the following:
- The file
$SPLUNK_HOME/etc/init.d/README
- The output from the
help boot-start
command on your Splunk software instance.
PREVIOUS Start and stop Splunk Enterprise |
NEXT Install your license |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1
Comments
For *unix, there is a statement
Confirm that each splunk command has single quotes around it.
This is not applicable to Redhat.
Hi Rg33,
Thanks for your feedback. The splunkd binary places it in /Library/LaunchAgents, and to change it to /Library/LaunchDaemons would require making code modifications. Theoretically, you could move it over to /Library/LaunchDaemons yourself, but if you later disable boot-start, it could cause errors to occur because it will attempt to make changes to the plist file in /Library/LaunchAgents.
For MacOS, would it be better to have "splunk enable boot-start" place the "com.splunk.plist" file in /Library/LaunchDaemons to start at boot, instead of /Library/LaunchAgents which runs on login?
I updated the example to use the actual user rather than the substitute variable. It should be clearer now that you must substitute the user that Splunk runs as in the file.
Hi,
looks like it's not clear for everybody, you need to replace the user variable when doing the real change to init script and the simple quote is at the end (because it close the argument to su -c 'command')
so that would become 4 changes with the current init script (if splunk run as splunk user and installed in /opt/splunk)
su - splunk -c '"/opt/splunk/bin/splunk" start --no-prompt --answer-yes'
su - splunk -c '"/opt/splunk/bin/splunk" stop'
su - splunk -c '"/opt/splunk/bin/splunk" restart'
su - splunk -c '"/opt/splunk/bin/splunk" status'
Hi Archme,
I will follow up with our engineers to determine why that command doesn't work. I tested it myself on CentOS 7 and macOS Sierra and it worked. I'll advise you on my findings in email.
Thanks for the report!
Under "Enable boot-start as a non-root user", item #6, the following command does not work for me:
su - ${USER} -c '"<path to Splunk installation>/bin/splunk"'
It is mentioned under the command: The Splunk command has both single and double quotes around it. Confirm that the quotes are in the correct order.
The command that i used in the file was: su - ${USER} -c '"/opt/splunk/bin/splunk start --no-prompt --answer-yes"'
it gave me the following error when starting:
su: unrecognized option '--no-prompt'
The command that worked for me was:
su - ${USER} -c '/opt/splunk/bin/splunk start --no-prompt --answer-yes'
Note that I only used single quote.
FYI my environment is on centos 7 and I am running splunk v7
To follow up on Fairje and Malmoore's comments, here is the fix:
sudo sed -i '16s/.*/ su - splunk -c "\/opt\/splunk\/bin\/splunk start --no-prompt --answer-yes"/' /etc/init.d/splunk
In the instructions above, under "Boot-start script does not inherit user limits set at boot time", point 4 is incorrect. The modification needs to happen in the splunk_start() function on line 16. No reboot is required, simply "splunk stop" and then "splunk start" will pick up the change and ulimits will be respected.
Tested on RHEL 7.3 and Splunk 6.6.2
Hi Fairje,
Thanks for the report. We're investigating this now. We were asked to add this section because Splunk was not inheriting the correct user limits for non-root users at boot time. We'll make adjustments as necessary after we complete the investigation.
Section: Boot-start script does not inherit user limits set at boot time
This no longer appears to be applicable and in-fact will mess up your boot up sequence. Upon running this script after you put in this change it tries to drop your into a terminal under that user and the script just stalls out, which in turn stalls out your boot up sequence. It would appear that removing this (or not putting it in in the first place) causes Splunk to be started correctly under the right splunk user context.
This was done on RHEL 6.8 and Splunk 6.4.6. It is unclear when this specifically changed and if it was a linux change or splunk change or both?
If you're using CentOS 7 or another systemd linux, you might want to setup a systemd unit file instead of using the old init.d file. There's a good post on it here: https://answers.splunk.com/answers/59662/is-there-a-systemd-unit-file-for-splunk.html