Instructions
-
Prepare Linux box. On this page, we will use Ubuntu 18.04.5 LTS.
<Sample configuration>
OS type: Ubuntu 18.04.5 LTS※1
CPU: 2 Processors※2
RAM: 4 GB
Disk: 60 GB
Ubuntu 18.04.5 LTS Desktop image download link:
https://releases.ubuntu.com/18.04/ubuntu-18.04.5-desktop-amd64.iso (If link is broken there is probably a new version of Ubuntu. VisitUbuntu 18.04.6 LTS (Bionic Beaver) and select “Desktop image” for the latest ISO.)
※1 It does not need to be Ubuntu 18.04 LTS. Either Ubuntu 20.04 LTS or 22.04 LTS is fine.
※2 Splunk Enterprise does not support ARM architecture, including Apple Silicon.
-
Download Splunk binary and extract it to /opt directory.
If you are running a Linux server on the VirtualBox, please disable the Netskope client first otherwise you will get the cert error.
sudo su -
wget -O splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz "https://download.splunk.com/products/splunk/releases/9.4.0/linux/splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz"
tar xvzf splunk*.tgz -C /opt/
echo "export PATH=\$PATH:/opt/splunk/bin" >> /etc/profile
source /etc/profile -
Start Splunk accepting the license term and configure your admin account and password. This is a user for Splunk instance and it doesn't relate with your Linux user.
splunk start --accept-license
Console output example:root@toshi-VirtualBox:~# splunk start --accept-license
This appears to be your first time running this version of Splunk.
Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.
Please enter an administrator username: admin ★Enter the admin user name here
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password: ★Enter your admin password here
Please confirm new password: ★Enter your admin password here
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
.........................................................+++++
...................+++++
e is 65537 (0x10001)
writing RSA key
Generating RSA private key, 2048 bit long modulus
................+++++
........................+++++
e is 65537 (0x10001)
writing RSA key
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Splunk> All batbelt. No tights.
Checking prerequisites...
Checking http port 8000]: open
Checking mgmt port 8089]: open
Checking appserver port C127.0.0.1:8065]: open
Checking kvstore port 8191]: open
Checking configuration... Done.
Creating: /opt/splunk/var/lib/splunk
Creating: /opt/splunk/var/run/splunk
Creating: /opt/splunk/var/run/splunk/appserver/i18n
Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunk/var/run/splunk/upload
Creating: /opt/splunk/var/run/splunk/search_telemetry
Creating: /opt/splunk/var/spool/splunk
Creating: /opt/splunk/var/spool/dirmoncache
Creating: /opt/splunk/var/lib/splunk/authDb
Creating: /opt/splunk/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunk/etc/auth'.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-8.1.3-63079c59e632-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Generating a RSA private key
..............+++++
...+++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=toshi-VirtualBox/O=SplunkUser
Getting CA Private Key
writing RSA key
Done
Waiting for web server at http://127.0.0.1:8000 to be available... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://toshi-VirtualBox:8000
root@toshi-VirtualBox:~# -
Enable boot-start
sudo splunk enable boot-start
-
Open Firefox and access http://localhost:8000
Log in to the Splunk by user account/pass you configured on procedure #3.
-
(Optional) The enterprise license will expire within 60 days. Convert license type from Enterprise to free. You can feed up to 512MB of data every day forever.
About Splunk Free - Splunk Documentation
-
You can stop/start Splunk using the commands below.
sudo splunk stop
sudo splunk start