Splunk Enterprise does not start due to unusable filesystem
If you receive an error message like the following when you start Splunk Enterprise on a *nix machine, it might be because the software does not know how to write to your machine filesystem.
homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem. Validating databases (splunkd validatedb) failed with code '1'.
Splunk Enterprise must be able to write to the local filesystem to index your data. Splunk provides support for many different filesystems, as described in System requirements in the Installation Manual. On machines with an unrecognized filesystem, Splunk Enterprise runs a utility called
locktest that confirms whether it can work with the filesystem. If
locktest fails for any reason,
splunkd does not start, to prevent you from indexing data to a filesystem that it cannot write to.
locktest utility can fail for a number of reasons:
- The filesystem is not known, and Splunk Enterprise cannot perform the proper file locking on it.
- The filesystem has been marked as read-only, or has otherwise been changed by the operating system.
- A library or function that
locktestuses to perform the tests is not available or cannot be loaded.
This troubleshooting topic does not apply to Splunk Enterprise instances that run on Windows machines.
Temporarily bypass filesystem checks
If you are a Splunk administrator who understands the risks, you can temporarily bypass filesystem checks to get Splunk Enterprise running again.
Configuring this setting can be dangerous and is not supported in normal operations. Irrevocable data loss can occur. You perform this action solely at your own risk. By configuring the setting, you actively bypass filesystem checks that confirm if Splunk Enterprise can run on your machine filesystem. In a production environment, you must not use this setting as a long-term solution to a filesystem problem. If you use the setting under the guidance of Splunk Support, immediately report any problems that you encounter with indexing or search.
Use the setting in one or more of the following scenarios only:
- You are a skilled Splunk administrator and understand the risks of bypassing filesystem checks.
- You use Splunk software in a development environment.
- You want to recover from a situation where the default filesystem has been changed outside of your control, such as during an operating system upgrade.
- You want to recover from a situation where a Splunk bug has invalidated a previously functional filesystem after an upgrade.
- You want to evaluate the performance of a filesystem for which Splunk has not yet offered support.
- You have been given explicit instruction from Splunk Support to use the setting to solve a problem where Splunk software does not start because of a failed filesystem check.
- You understand and accept all of the risks of using the setting, up to and including losing all your data with no ability to recover it.
- On the machine that is experiencing the failure, open a shell prompt.
- Become root or an administrative equivalent with
sudo su -
$SPLUNK_HOME/etc/splunk-launch.confwith a text editor.
$SPLUNK_HOME represents where you have installed Splunk Enterprise. For example, if you installed Splunk Enterprise in /opt/splunk, then you would edit /opt/splunk/etc/splunk-launch.conf.
- In the file, add the following line anywhere:
- Save the file and close the text editor.
- Restart Splunk Enterprise.
- Confirm that the
splunkdservice has started.
I get errors about ulimit in splunkd.log
HTTP thread limit issues
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4
Feedback submitted, thanks!