sazizan
January 3, 2025
These instructions were made using Rocky Linux 9.4. This platform was chosen because Rocky Linux 9.x should be bug-for-bug compatible with Enterprise Linux.
I will be using Splunk’s free Splunk Enterprise Linux which gives you 60 days to play with to index up to 500MB/day.
The easiest way to obtain splunk is to use the wget at the CLI. Note that this link will change as the versions are updated. If you are unable to obtain Splunk using wget, then proceed to Method 2.
wget -O splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz "https://download.splunk.com/products/splunk/releases/9.4.0/linux/splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz"
Navigate to to www.splunk.com and click Free Splunk in the upper right-hand corner, choosing and choose to login or sign up.
Once Logged in, navigate to Products > Free trials and downloads > Splunk Enterprise > Get my Free Trial
Download the TGZ file from the Linux Selections
sudo firewall-cmd --add-port=8000/tcp --permanent
sudo firewall-cmd --add-port=8089/tcp --permanent
sudo firewall-cmd --add-port=9997/tcp --permanent
sudo firewall-cmd –-reload
This installation will reside in /opt
sudo tar xvzf <splunk_package_name>.tgz -C /opt
Note: From hereon, $SPLUNK_HOME will refer to /opt/splunk
cd $SPLUNK_HOME/bin
sudo ./splunk start --accept-license
Create a splunk admin username when prompted (Pressing ENTER uses the default username of ‘admin’)
Create a password for the splunk username created and confirm
Splunk should already be started but you can start and veirfy it with the following two commands executed from within $SPLUNK_HOME/bin.
sudo ./splunk start
sudo ./splunk status
When enabling boot-start on *nix platforms the following would be suffice
sudo $SPLUNK_HOME/bin/splunk enable boot-start
However for Rocky/RedHat Linux versions 8+ you will need to perform the following.
cd $SPLUNK_HOME/bin/splunk
sudo ./splunk stop
sudo ./splunk enable boot-start -user <username> -systemd-managed 1
sudo ./splunk start
Note: the username should be a non-root Linux user. This is not the username specified during the Splunk installation.
Navigatte to http://<SPLUNK IP OR HOSTNAME>:8000
Login using the admin username and password chosen during the installation steps.