Installing Splunk on Linux

Uncategorized

Table of Contents

Installation

These instructions were made using Rocky Linux 9.4.  This platform was chosen because Rocky Linux 9.x should be bug-for-bug compatible with Enterprise Linux.

I will be using Splunk’s free Splunk Enterprise Linux which gives you 60 days to play with to index up to 500MB/day.

Download Splunk

Method 1 - WGET

The easiest way to obtain splunk is to use  the wget at the CLI.  Note that this link will change as the versions are updated.  If you are unable to obtain Splunk using wget, then proceed to Method 2.

wget -O splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz "https://download.splunk.com/products/splunk/releases/9.4.0/linux/splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz"

Method 2 - Using a Browser

Navigate to to www.splunk.com and click Free Splunk in the upper right-hand corner, choosing  and choose to login or sign up.

Once Logged in, navigate to Products > Free trials and downloads > Splunk Enterprise > Get my Free Trial

Download the TGZ file from the Linux Selections

Install & Start

Open Firewall Rules

sudo firewall-cmd --add-port=8000/tcp --permanent
sudo firewall-cmd --add-port=8089/tcp --permanent
sudo firewall-cmd --add-port=9997/tcp --permanent
sudo firewall-cmd –-reload

Extract Splunk TGZ

This installation will reside in /opt

sudo tar xvzf <splunk_package_name>.tgz -C /opt

Note: From hereon, $SPLUNK_HOME will refer to /opt/splunk

Execute Splunk Installer

cd $SPLUNK_HOME/bin
sudo ./splunk start --accept-license

Create a splunk admin username when prompted (Pressing ENTER uses the default username of ‘admin’)

Create a password for the splunk username created and confirm

Verify Splunk Started

Splunk should already be started but you can start and veirfy it with the following two commands executed from within $SPLUNK_HOME/bin.

sudo ./splunk start
sudo ./splunk status

Start Splunk On Boot

When enabling boot-start on *nix platforms the following would be suffice

sudo $SPLUNK_HOME/bin/splunk enable boot-start

However for Rocky/RedHat Linux versions 8+ you will need to perform the following.

cd $SPLUNK_HOME/bin/splunk
sudo ./splunk stop
sudo ./splunk enable boot-start -user <username> -systemd-managed 1
sudo ./splunk start

Note: the username should be a non-root Linux user.  This is not the username specified during the Splunk installation.

Open Splunk Web

Navigatte to http://<SPLUNK IP OR HOSTNAME>:8000

Login  using the admin username and password chosen during the installation steps.

Add Your Heading Text Here