Skip to content

Instantly share code, notes, and snippets.

@AlainODea
Last active February 10, 2020 15:57
Show Gist options
  • Save AlainODea/6540462 to your computer and use it in GitHub Desktop.
Save AlainODea/6540462 to your computer and use it in GitHub Desktop.
Splunk Forwarder SMF Manifest
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
<service name='site/splunkforwarder' type='service' version='0'>
<create_default_instance enabled='true'/>
<single_instance/>
<dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local'/>
</dependency>
<dependency name='splunk_multi-user' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/milestone/multi-user'/>
</dependency>
<dependency name='splunk_network' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/milestone/network'/>
</dependency>
<dependency name='splunk-binary' grouping='require_all' restart_on='refresh' type='path'>
<service_fmri value='file://localhost/opt/splunkforwarder/bin/splunk'/>
</dependency>
<dependent name='splunk_multi-user-server' restart_on='none' grouping='optional_all'>
<service_fmri value='svc:/milestone/multi-user-server'/>
</dependent>
<method_context project=':default' resource_pool=':default' working_directory=':default'>
<method_credential group='splunk' limit_privileges=':default' privileges='basic,file_dac_read,net_privaddr' supp_groups=':default' user='splunk'/>
<method_environment>
<envvar name='HOME' value='/opt/splunkforwarder'/>
<envvar name='SPLUNK_HOME' value='/opt/splunkforwarder'/>
</method_environment>
</method_context>
<exec_method name='start' type='method' exec='/opt/splunkforwarder/bin/splunk %m --accept-license' timeout_seconds='300'/>
<exec_method name='stop' type='method' exec='/opt/splunkforwarder/bin/splunk %m' timeout_seconds='300'/>
<exec_method name='refresh' type='method' exec='/opt/splunkforwarder/bin/splunk restart' timeout_seconds='600'/>
<property_group name="startd" type="framework">
<propval name="duration" type="astring" value="contract"/>
<propval name="ignore_error" type="astring" value="core,signal"/>
</property_group>
<stability value='Unstable'/>
<template>
<common_name>
<loctext xml:lang='C'>splunk log server</loctext>
</common_name>
</template>
</service>
</service_bundle>
@AlainODea
Copy link
Author

Fixed by removing superfluous dependency on license file which isn't present on the forwarder.

@AlainODea
Copy link
Author

Made the service use startd.duration=contract since /opt/splunkforwarder/bin/splunk start --accept-license will launch splunkd and then detach. I have no idea how it worked at all before.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment