Skip to main content

Instructions

  1. Prepare Linux box. On this page, we will use Ubuntu 18.04.5 LTS.

    <Sample configuration>
    OS type: Ubuntu 18.04.5 LTS※1
    CPU: 2 Processors※2
    RAM: 4 GB
    Disk: 60 GB

    Ubuntu 18.04.5 LTS Desktop image download link:
    https://releases.ubuntu.com/18.04/ubuntu-18.04.5-desktop-amd64.iso (If link is broken there is probably a new version of Ubuntu. Visit Ubuntu 18.04.6 LTS (Bionic Beaver) and select ā€œDesktop imageā€ for the latest ISO.)

    ※1 It does not need to be Ubuntu 18.04 LTS. Either Ubuntu 20.04 LTS or 22.04 LTS is fine.
    ※2 Splunk Enterprise does not support ARM architecture, including Apple Silicon.
    Ā 

  2. Download Splunk binary and extract it to /opt directory.
    If you are running a Linux server on the VirtualBox, please disable the Netskope client first otherwise you will get the cert error.
    Ā 

    Ā 

    Ā 

    sudo su -
    wget -O splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz "https://download.splunk.com/products/splunk/releases/9.4.0/linux/splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz"
    tar xvzf splunk*.tgz -C /opt/
    echo "export PATH=\$PATH:/opt/splunk/bin" >> /etc/profile
    source /etc/profile

    Ā 

  3. Start Splunk accepting the license term and configure your admin account and password. This is a user for Splunk instance and it doesn't relate with your Linux user.

    Ā 

    splunk start --accept-license


    Console output example:

    root@toshi-VirtualBox:~# splunk start --accept-license

    This appears to be your first time running this version of Splunk.

    Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
    Create credentials for the administrator account.
    Characters do not appear on the screen when you type in credentials.

    Please enter an administrator username: admin ā˜…Enter the admin user name here
    Password must contain at least:
    * 8 total printable ASCII character(s).
    Please enter a new password: ā˜…Enter your admin password here
    Please confirm new password: ā˜…Enter your admin password here
    Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
    Generating RSA private key, 2048 bit long modulus
    .........................................................+++++
    ...................+++++
    e is 65537 (0x10001)
    writing RSA key

    Generating RSA private key, 2048 bit long modulus
    ................+++++
    ........................+++++
    e is 65537 (0x10001)
    writing RSA key

    Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.

    Splunk> All batbelt. No tights.

    Checking prerequisites...
    Checking http port 8000]: open
    Checking mgmt port 8089]: open
    Checking appserver port C127.0.0.1:8065]: open
    Checking kvstore port 8191]: open
    Checking configuration... Done.
    Creating: /opt/splunk/var/lib/splunk
    Creating: /opt/splunk/var/run/splunk
    Creating: /opt/splunk/var/run/splunk/appserver/i18n
    Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
    Creating: /opt/splunk/var/run/splunk/upload
    Creating: /opt/splunk/var/run/splunk/search_telemetry
    Creating: /opt/splunk/var/spool/splunk
    Creating: /opt/splunk/var/spool/dirmoncache
    Creating: /opt/splunk/var/lib/splunk/authDb
    Creating: /opt/splunk/var/lib/splunk/hashDb
    New certs have been generated in '/opt/splunk/etc/auth'.
    Checking critical directories... Done
    Checking indexes...
    Validated: _audit _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
    Done
    Checking filesystem compatibility... Done
    Checking conf files for problems...
    Done
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunk/splunk-8.1.3-63079c59e632-linux-2.6-x86_64-manifest'
    All installed files intact.
    Done
    All preliminary checks passed.

    Starting splunk server daemon (splunkd)...
    Generating a RSA private key
    ..............+++++
    ...+++++
    writing new private key to 'privKeySecure.pem'
    -----
    Signature ok
    subject=/CN=toshi-VirtualBox/O=SplunkUser
    Getting CA Private Key
    writing RSA key
    Done


    Waiting for web server at http://127.0.0.1:8000 to be available... Done


    If you get stuck, we're here to help.
    Look for answers here: http://docs.splunk.com

    The Splunk web interface is at http://toshi-VirtualBox:8000

    root@toshi-VirtualBox:~#

    Ā 

  4. Enable boot-start

    Ā 

    sudo splunk enable boot-start

    Ā 

  5. Open Firefox and access http://localhost:8000
    Log in to the Splunk by user account/pass you configured on procedure #3.
    Ā 

    Ā 

    Ā 

    Ā 

  6. (Optional) The enterprise license will expire within 60 days. Convert license type from Enterprise to free. You can feed up to 512MB of data every day forever.
    About Splunk Free - Splunk Documentation
    Ā 

    Ā 

    Ā 

    Ā 

  7. You can stop/start Splunk using the commands below.
    Ā 

    sudo splunk stop
    sudo splunk start

    Ā 

Be the first to reply!

Reply