Configure Linux systems running systemd
If your Linux system is running systemd
, you must configure systemd
to manage splunkd
as a service by creating a unit file that defines a cgroup
hierarchy.
The following diagram illustrates the cgroup
hierarchy under systemd
:
For more information, see cgroups.
You must configure cpu and memory cgroups for workload management on all search heads and indexers.
Configure systemd to manage splunkd as a service
There are two ways to configure systemd
to manage splunkd
as a service:
- Configure
systemd
manually. - Configure
systemd
automatically using thesplunk enable boot-start
command.
System requirements
To use workload management in Splunk Enterprise under systemd
requires systemd
version 219 or higher. For more information, see Linux operating system requirements.
Splunk Enterprise 9.4.0 and higher supports workload management on Linux cgroups v2 by default.
Permissions requirements for systemd
systemd
has the following permissions requirements:
- Non-root users must have super user permissions to manually configure
systemd
on Linux. - Non-root users must have super user permissions to run
start
,stop
, andrestart
commands undersystemd
.
For instructions on how to create a new user with super user permissions, see your Linux documentation. The specific steps can vary depending on the specific Linux distribution.
You must use sudo
to run splunk start|stop|restart
. If you do not use sudo
, you must authenticate. For example:
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to manage system services or units. Multiple identities can be used for authentication: 1. <username_1> 2. <username_2> Choose identity to authenticate as (1-2): 2 Password: ==== AUTHENTICATION COMPLETE ===
Alternatively, you can install polkit rules to allow non-root users to run start, stop, and restart operations under systemd without using sudo, when running the enable-boot-start
command to configure the systemd service automatically. For more information, see Install polkit rules to elevate user permissions.
Configure systemd manually
Follow these steps to configure systemd
to manage splunkd
as a service:
-
Confirm that your Linux machine is running
systemd
. See Is Linux running systemd?. -
Before you create, delete, or modify the
systemd
unit file, you must stopsplunkd
.$SPLUNK_HOME/bin/splunk stop
-
If you enabled Splunk software to start at boot using
enable boot-start
, rundisable boot-start
to remove thesplunk
init
script from/etc/init.d
and its symbolic links.sudo $SPLUNK_HOME/bin/splunk disable boot-start
-
Open the
$SPLUNK_HOME/etc/splunk-launch.conf
file and note the value ofSPLUNK_SERVER_NAME
. The default value isSplunkd
. -
In the
/etc/systemd/system
directory, create a unit file (text file) named<SPLUNK_SERVER_NAME>.service
, such asSplunkd.service
.You can change the
SPLUNK_SERVER_NAME
to any name you choose by directly editing thesplunk-launch.conf
file. -
Add the following set properties to the
<SPLUNK_SERVER_NAME>.service
unit file, depending on whether your Linux system is using cgroups v1 or cgroups v2:
For cgroups v1:[Unit] After=network.target [Service] Type=simple Restart=always ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd KillMode=mixed KillSignal=SIGINT TimeoutStopSec=360 LimitNOFILE=65536 SuccessExitStatus=51 52 RestartPreventExitStatus=51 RestartForceExitStatus=52 User=splunk Group=splunk Delegate=true CPUShares=1024 MemoryLimit=<total_available_system_memory> PermissionsStartOnly=true ExecStartPost=/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/%n" ExecStartPost=/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/%n" [Install] WantedBy=multi-user.target
The
MemoryLimit
value is set to the total available system memory in bytes. TheMemoryLimit
value does not update if the total available system memory changes. To update theMemoryLimit
value, you must manually edit the unit file and run thesystemctl daemon-reload
command to reload systemd.For cgroups v2:
#This unit file replaces the traditional start-up script for systemd #configurations, and is used when enabling boot-start for Splunk on #systemd-based Linux distributions. [Unit] Description=Systemd service file for Splunk, generated by 'splunk enable boot-start' After=network-online.target Wants=network-online.target [Service] Type=simple Restart=always ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd KillMode=mixed KillSignal=SIGINT TimeoutStopSec=360 LimitNOFILE=65536 LimitRTPRIO=99 SuccessExitStatus=51 52 RestartPreventExitStatus=51 RestartForceExitStatus=52 User=splunk Group=splunk Delegate=true CPUWeight=100 MemoryMax=<total_available_system_memory> PermissionsStartOnly=true ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/system.slice/%n" [Install] WantedBy=multi-user.target
In the cgroups v2 unit file,
CPUWeight
replacesCPUShares
andMemoryMax
replacesMemoryLimit
.The
MemoryMax
value is set to the total available system memory in bytes. TheMemoryMax
value does not update automatically if the total available system memory changes. To update theMemoryMax
value, you must manually edit the unit file and run thesystemctl daemon-reload
command to reload systemd.The following unit file properties are set specifically for Splunk workload management:
Type=simple
Restart=always
Delegate=true
Do not change these values unless you are familiar withsystemd
or receive guidance from Splunk support.Do not use the following unit file properties. These properties can cause
splunkd
to fail on restart.
RemainAfterExit=yes
ExecStop
For more information on
systemd
unit file configuration settings, see Service unit configuration. -
Reload the unit file.
sudo systemctl daemon-reload
-
Start
splunkd
.sudo $SPLUNK_HOME/bin/splunk start
This starts
splunkd
as asystemd
service.Under
systemd
,splunk start|stop|restart
commands are mapped tosystemctl start|stop|restart
commands. -
Verify that
splunkd
is running as asystemd
service:sudo systemctl status <SPLUNK_SERVER_NAME>.service
- For distributed deployments, repeat steps 1-9 on all search heads and indexers.
Manage clusters under systemd
When managing an indexer cluster under systemd
:
You must use the sudo
command to start, stop, and restart the cluster manager node or individual peer nodes using splunk start|stop|restart
commands. You do not need sudo
to perform a rolling restart using the splunk rolling-restart cluster-peers
command, or to take a peer offline using the splunk offline
command.
When managing a search head cluster under systemd
:
You must use the sudo
command to start, stop, and restart cluster members using splunk start|stop|restart
commands. You do not need sudo
to perform a rolling restart using the splunk rolling-restart shcluster-members
command, or to remove a cluster member using the splunk remove shcluster-members
command.
Upgrade considerations for systemd
Next steps
After you set up cgroups on your Linux operating system, you can configure workload management in Splunk Enterprise. See Configure workload management.
Set up Linux for workload management | Configure Linux systems not running systemd |
This documentation applies to the following versions of Splunk® Enterprise: 9.4.0
Feedback submitted, thanks!