Skip to main content
  • EN

This is a guide on how to set up a Splunk instance.

Instructions

  1. This procedure was tested on a machine with the following specifications.

    MacBook Pro 14-inch, 2021
    Apple M1 Pro
    Sonoma 14.7.2

  2. Please download the following DMG file from the Splunk website. A user registration is required for the download.

    https://www.splunk.com/en_us/download/splunk-enterprise.html

    Ā 

    * Splunk does not provide an installer specifically for Apple Silicon. You can install the Intel architecture installer and use Rosetta to run the Intel version of Splunk.
    Ā 

  3. Double-click the downloaded installer to install Splunk.

  • Click the "Install Splunk" button to start the installation.

  • The installation wizard will start, so proceed with all affirmative responses. You may be prompted to grant permissions or install additional applications; make sure to complete all these steps.
    Ā 

    Ā 

  • If the installation is successful, the Terminal will launch. Here, you will set the Splunk admin username and password. Itā€™s recommended to use "admin" as the admin username, and you can set any password of your choice.
    Ā 

    Ā 

  • You will be asked if you want to start Splunk; choose to start it. A web browser will automatically open, displaying the login screen. Use the username and password you set earlier to log in.
    Ā 

    Ā 

    Ā 

  • Set the command path for Splunk. If you are using zsh, add the following line toĀ ~/.zshrcĀ .

    ex)

    export PATH="/Applications/Splunk/bin:$PATH"

    Ā 

Load .zshrc

Ā 

% source ~/.zshrc

check command path

ex)

% which splunk
/Applications/Splunk/bin/splunk
%

  • Run the following command to ensure Splunk starts automatically after a reboot:

    sudo splunk enable boot-start

    Ā 

  • The enterprise license will expire within 60 days. Convert license type from Enterprise to free. You can feed up to 512MB of data every day.

    Ā 

    http://localhost:8000/en-GB/ ā†’ Settings ā†’ Licensing ā†’ Change license Group
    Ā 

    Select ā€œFree Licenseā€ and click ā€œSaveā€. Restart Splunk and licese group will be changed to Free.
    Ā 

    Ā 

  • To suppress noisy alert, create the file below. (This is not harmful though)
    Ā 

    Ā 

    vi /Applications/Splunk/etc/system/local/alert_actions.conf

    Ā 

    add following setting.
    Ā 

    femail] allowedDomainList = netskope.com

    Ā 

    ex)

    % cat /Applications/Splunk/etc/system/local/alert_actions.conf nemail] allowedDomainList = netskope.com
    Ā 

  • Restart Splunk. Alerts will be suppressed.

    Ā 

    sudo splunk restart

    Ā 

Be the first to reply!

Reply


Terms & ConditionsCookie settings