Table of Contents
  • Home
  • /
  • Blog
  • /
  • Step-By-Step Procedure To Install Splunk On Linux Server
January 8, 2024

Step-By-Step Procedure To Install Splunk On Linux Server

How To Install Splunk On Linux Server

If you have ever been part of any organization, you know how many assets an organization has. It’s a lot right: laptops, desktops, servers, access points, network switches, routers, firewalls, telephones, printers, biometrics, cameras, CC TVs, and these a tons of applications, services, software, interfaces to operate the organization. Let’s take a small device like Biometric, which captures access information whenever someone swipes to log in or log out. Imagine, just a small device like Biometric generates how much data. Then, imagine the amount of data will be generated by all the assets in an organization. The biggest challenge comes that how to process the data? How to extract the required information for a large chunk of data? How to analyze the data to extract. The solution to this problem is lice in a good analytics tool. Splunk is one of the popular tools in the data analytics landscape. However, you should need to install and configure Splunk to make use of it. Let’s see how to install Splunk on a Linux platform.

What Is Splunk?

Splunk is a log analyzer tool that takes all the machine data as input and lets the analyst query the data on its web interface. Splunk is most likely used to search, analyze, monitor, and visualize the machine data generated by workstations, servers, applications, appliances, sensors, and other assets. Splunk application is developed by Splunk Inc., an American technology company based in San Francisco, California. Splunk has a variety of products for different applications. Check out the products page for more information.

Components Of Splunk:

All right, Before we jump into the installation, it is much required to know about its architecture. Let’s learn about Splunk architecture. So we’re going to take an approach to just look at it from a high level.

Splunk has three core components: Indexer, Forwarder, Search head. So let’s jump right into that.

  1. Splunk Indexer: Splunk indexer is the secret sauce that actually puts your data or your log files in a searchable fashion. The index is what’s going to receive the log files and index those logs so that they can be searched.

  2. Splunk Head: Search head is a user interface where the Splunk users, and mostly even the administrators, are going to be using and configuring. This will be the graphical interface where you’re going to go in, write your queries, create message alerts, do a lot of the Splunk administration, and also, it’s going to be what you think is really the Splunk environment. So you’re going to be interacting with a search head and the search environment on a daily basis.

  3. Forwarder: Forwarder is what helps us get our data from our distributed environment into those Indexers. Forwarder as an agent that’s going to run on devices. It is a small application running on a server, virtual machine, or device that takes these specific log files and sends them to our indexer.

The Architecture Of Splunk:

Splunk Standalone Deployment

Let’s look at an architectural view of that. So, in architecture, let’s say that we have some different servers running all around our data center. We can actually have our forwarders installed on each one of those machines, and then we have our indexers. Say we have two indexers in our environment because we have a very large environment or because we want to have fault tolerance. And then only one search head. So you can have multiple search heads. In our environment, we’re only going to have one here. So how does this work from an architecture perspective? Your forwarders are sending data to your indexers, and then whenever a search is created, you’re actually looking at that. Now, in our environment here that we’re going through in the development, everything is all in one standalone system, but as your architecture and as your system grows, it’s actually going to get more complex, and you’ll have distributed different functionality for, you know, a server dedicated to a search head, maybe two servers dedicated to your indexer, and then multiple, maybe even hundreds of thousands of different forwarders installed all-around your data center or all-around your IT environment.

How Does Splunk Licensing Work?

Well, let’s talk a little bit about Splunk licensing. So Splunk is actually licensed by the ingest rate, cost per terabyte of how much you’re ingesting at a time. Splunk has a free version. That free version is capped at around 500 MB a day, and there’s certain functionality you wouldn’t be able to have. You can actually take advantage of that Splunk free license and be able to get through searching and looking at the different components within the Splunk environment. Now, what’s the majority of enterprises are running is this Splunk Enterprise. So the amount of data and the cost for that’s going to vary, but it’s really going to come down to how many gigabytes per day, right? Like how many gigabytes are you doing? Are you doing 100, 2 TB? Just all going to depend. You have to work with a Splunk sales representative at that time. For more information about Types of Splunk licenses and the license usage report, view the Admin Manual.

Access License Usage Report:

On the license master:

  1. Navigate to Settings > Licensing.

  2. Select Usage report.

On the monitoring console:

  1. Navigate to Settings > Monitoring Console.

  2. Navigate to Indexing > License Usage.

  3. Select License Usage.

How To Install Splunk On Linux Server?

Now that we’ve covered how Splunk is licensed and we have a high-level view of the architecture, it’s time to get hands-on and start building out our own Splunk development environment. Splunk supports multiple OS platforms. You can install Splunk on Windows, mac, and all the popular Linux distributions. This demo will show you how to install Splunk on a Linux server. We have chosen Ubuntu distribution. Of-course, you can install it on any Linux platform. Let’s see how to install Splunk on Linux Ubuntu.

We are going to install a single instance of Splunk Enterprise on Ubuntu that plays the role of both Indexer and Search Head. You need to download Splunk Enterprise to install.

Step 1. Download Splunk on Ubuntu from the command line

Once you complete the free registration form, Splunk will allow you to download the Splunk Enterprise. Anyways, you can download the installer either directly from the browser or through the command line. It is easy to download Splunk through the command line. Run this command to download Splunk.

$ wget -O splunk- ‘’

Step 2. Install Splunk Enterprise on Ubuntu

After the download, enable the execution permission using the chmod +x command. Then install the Splunk package using dpkg -i commend.

$ chmod +x splunk-

Debian based Linux:
$ dpkg -i splunk-

Red Hat based Linux:
$ rpm -i splunk-

Step 3. Set up Splunk for the first time

Check the status using the below command. For the first time, Splunk will ask to accept the license agreement and set up an admin account.

$ sudo /opt/splunk/bin/splunk status


$ cd /opt/splunk/bin
$ sudo ./splunk status

Step 4. Start Splunk services

Start the Splunk Services using this command.

$ sudo /opt/splunk/bin/splunk start


$ cd /opt/splunk/bin
$ sudo ./splunk start

Step 5. Accept license aggrement and create admin account to login to the splunk console
Step 6. Splunk service started on port 8000

After accepting the license and configuring the admin account, Splunk Enterprise service will get started. You will see the login page URL at the end of the prompt.

Step 7. Check the Splunk port is listening on ubuntu

Verify that port 8000 is listening on the server using the netstat command.

$ netstat -ntpl

Step 8. Splunk service start and stop

Commends to start stop, restart and check the status of Splunk service.

$ sudo /opt/splunk/bin/splunk status
$ sudo /opt/splunk/bin/splunk stop
$ sudo /opt/splunk/bin/splunk start

Step 9. Get the ip address of Ubuntu

Note down the IP address or hostname of the server.

$ sudo ifconfig

Step 10. Splunk login page

You can access the Splunk page on the browser using the IP or hostname with port


Step 11. Splunk sign in window

This is the first screen you will see after logging in for the first time. Click on the Search & Reporting App located at the left-hand side in the web console to submit search queries.

This completes the installation of Splunk on the Linux server.

We hope this post would help you learn How to Install Splunk on Linux Server. Thanks for reading this post. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription