Skip to main content
  • EN

Instructions

  1. Prepare Linux box. On this page, we will use Ubuntu 18.04.5 LTS.

    <Sample configuration>
    OS type: Ubuntu 18.04.5 LTS※1
    CPU: 2 Processors※2
    RAM: 4 GB
    Disk: 60 GB

    Ubuntu 18.04.5 LTS Desktop image download link:
    https://releases.ubuntu.com/18.04/ubuntu-18.04.5-desktop-amd64.iso (If link is broken there is probably a new version of Ubuntu. Visit Ubuntu 18.04.6 LTS (Bionic Beaver) and select “Desktop image” for the latest ISO.)

    ※1 It does not need to be Ubuntu 18.04 LTS. Either Ubuntu 20.04 LTS or 22.04 LTS is fine.
    ※2 Splunk Enterprise does not support ARM architecture, including Apple Silicon.
     

  2. Download Splunk binary and extract it to /opt directory.
    If you are running a Linux server on the VirtualBox, please disable the Netskope client first otherwise you will get the cert error.
     

     

     

    sudo su -
    wget -O splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz "https://download.splunk.com/products/splunk/releases/9.4.0/linux/splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz"
    tar xvzf splunk*.tgz -C /opt/
    echo "export PATH=\$PATH:/opt/splunk/bin" >> /etc/profile
    source /etc/profile

     

  3. Start Splunk accepting the license term and configure your admin account and password. This is a user for Splunk instance and it doesn't relate with your Linux user.

     

    splunk start --accept-license


    Console output example:

    root@toshi-VirtualBox:~# splunk start --accept-license

    This appears to be your first time running this version of Splunk.

    Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
    Create credentials for the administrator account.
    Characters do not appear on the screen when you type in credentials.

    Please enter an administrator username: admin ★Enter the admin user name here
    Password must contain at least:
       * 8 total printable ASCII character(s).
    Please enter a new password: ★Enter your admin password here
    Please confirm new password: ★Enter your admin password here
    Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
    Generating RSA private key, 2048 bit long modulus
    .........................................................+++++
    ...................+++++
    e is 65537 (0x10001)
    writing RSA key

    Generating RSA private key, 2048 bit long modulus
    ................+++++
    ........................+++++
    e is 65537 (0x10001)
    writing RSA key

    Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.

    Splunk> All batbelt. No tights.

    Checking prerequisites...
            Checking http port  8000]: open
            Checking mgmt port  8089]: open
            Checking appserver port C127.0.0.1:8065]: open
            Checking kvstore port  8191]: open
            Checking configuration... Done.
                    Creating: /opt/splunk/var/lib/splunk
                    Creating: /opt/splunk/var/run/splunk
                    Creating: /opt/splunk/var/run/splunk/appserver/i18n
                    Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
                    Creating: /opt/splunk/var/run/splunk/upload
                    Creating: /opt/splunk/var/run/splunk/search_telemetry
                    Creating: /opt/splunk/var/spool/splunk
                    Creating: /opt/splunk/var/spool/dirmoncache
                    Creating: /opt/splunk/var/lib/splunk/authDb
                    Creating: /opt/splunk/var/lib/splunk/hashDb
    New certs have been generated in '/opt/splunk/etc/auth'.
            Checking critical directories...        Done
            Checking indexes...
                    Validated: _audit _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
            Done
            Checking filesystem compatibility...  Done
            Checking conf files for problems...
            Done
            Checking default conf files for edits...
            Validating installed files against hashes from '/opt/splunk/splunk-8.1.3-63079c59e632-linux-2.6-x86_64-manifest'
            All installed files intact.
            Done
    All preliminary checks passed.

    Starting splunk server daemon (splunkd)...
    Generating a RSA private key
    ..............+++++
    ...+++++
    writing new private key to 'privKeySecure.pem'
    -----
    Signature ok
    subject=/CN=toshi-VirtualBox/O=SplunkUser
    Getting CA Private Key
    writing RSA key
    Done


    Waiting for web server at http://127.0.0.1:8000 to be available... Done


    If you get stuck, we're here to help.
    Look for answers here: http://docs.splunk.com

    The Splunk web interface is at http://toshi-VirtualBox:8000

    root@toshi-VirtualBox:~#

     

  4. Enable boot-start

     

    sudo splunk enable boot-start

     

  5. Open Firefox and access http://localhost:8000
    Log in to the Splunk by user account/pass you configured on procedure #3.
     

     

     

     

  6. (Optional) The enterprise license will expire within 60 days. Convert license type from Enterprise to free. You can feed up to 512MB of data every day forever.
    About Splunk Free - Splunk Documentation
     

     

     

     

  7. You can stop/start Splunk using the commands below.
     

    sudo splunk stop
    sudo splunk start

     

Be the first to reply!

Reply


Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings