Table of Contents
  • Home
  • /
  • Blog
  • /
  • Simple and Universal Way to Install Splunk Enterprise on Mac
May 6, 2024
|
19m

Simple and Universal Way to Install Splunk Enterprise on Mac


Simple and Universal Way to Install Splunk Enterprise on Mac

If you're already familiar with Splunk, its components, architecture, and the phases of the data pipeline, you might be eager to see Splunk in action. This guide will walk you through the process of installing Splunk Enterprise on non-Windows platforms such as macOS and Linux. By following these step-by-step instructions, you'll be able to set up Splunk Enterprise on your preferred non-Windows operating system and start exploring its powerful features for data collection, indexing, and analysis. Whether you're a seasoned Splunk user or just getting started, this guide will help you set up and running Splunk quickly in a few simple steps.

Hardware and Software Prerequisites to Install Splunk Enterprise

Before installing Splunk Enterprise, it is crusual to know the requisites. The hardware and software requirements for installing Splunk Enterprise on a non-Windows platform like macOS or Linux are highly dependent on various factors related to your specific use case and environment. These factors include:

Splunk Enterprise is highly scalable and can be installed on a wide range of hardware, from small desktop-sized computers to large multi-core servers capable of processing terabytes of data. To take advantage of this scaling capability, it is essential to plan your deployment carefully.

According to the Introduction to Capacity Planning for Splunk Enterprise, you should review the components of a Splunk Enterprise deployment to understand the elements involved in a Splunk Enterprise installation. It is also crucial to consider the dimensions of a Splunk Enterprise deployment, how those dimensions impact performance, and how to maximize performance.

Furthermore, it is recommended to learn about the basic building block of a Splunk Enterprise deployment, which is described in the "Reference Hardware" section of the capacity planning manual.

By taking these factors into account and reviewing the capacity planning documentation, you can determine the appropriate hardware and software requirements for your specific Splunk Enterprise deployment, ensuring optimal performance and scalability.

However, since we are going to use Splunk in a lab environment, we are installing Solunk Enterprise on one of our Mac notebook with intel i9 chip with x86_64 architecture and 32 GB of RAM in this demo.

Splunk recommend these to install Splunk Enterprise as a stand-alone single instance:

  • An x86 64-bit chip architecture

  • 12 physical CPU cores, or 24 vCPU at 2 GHz or greater speed per core.

  • 12 GB RAM.

  • For storage, review the Indexer recommendation in What storage type should I use for a role?

  • A 1 Gb Ethernet NIC, optional second NIC for a management network.

  • A 64-bit Linux or Windows distribution. See Supported Operating Systems in the Installation Manual.

Network Prerequisites to Install Splunk Enterprise

Just hardware and software are not enough to run Splunk. Network is also a pivotal factor to consider. Be prepared with the network configuration plans before proceding installing. Assign a static IP address and set a hostname according to your organization's naming convention. Configure your firewall to allow inbound and outbound traffic on the following ports:

  • Web interface: Port 8000 (HTTP) or 443 (HTTPS)

  • Splunk indexer communication: Port 9997 (TCP)

  • Splunk search head to indexer communication: Port 8089 (TCP)

  • Splunk forwarder to indexer communication: Port 9997 (TCP)

  • Splunk deployment server to forwarder communication: Port 8089 (TCP)

Ensure reliable network connectivity between Splunk components and sufficient bandwidth to support the expected data volume and search activity.

Install Splunk Enterprise on Mac

We believe, you are ready with pre-requests to download the Splunk Enterprise package and install it on your Mac or Linux. We also want you to let you know there are other ways to install Splunk from the ready to install compiled binary packages. However, for in this demo, we are installing Splung using its .tgz file since this is the universal way of installation. You can follow this process to install other Linux distributions like RedHat, Ubuntu, Kali Linux, Debian, Arch, Suse, and pretty much anything.

Step 1: Create a Splunk Account

It is required to log in Splunk to download the package. Your first action should be to signed up and register yourself and sign in to the account.

  1. Visit the Splunk page.

  2. If you don't have a Splunk account, click on the "Sign Up" button located on the top right corner of the page.

  3. Fill in the required information, such as your name, email address, company name, and create a password. Make sure to use a valid email address as you will need to verify your account.

  4. Read and accept the terms and conditions, then click on the "Create Account" button.

  5. Check your email inbox for a verification link from Splunk. Click on the link to verify your account.

  6. If you already have a Splunk account, simply click on the "Log In" button and enter your credentials.

Step 2: Download Splunk Enterprise

Once you have created and logged into your Splunk account, you can proceed to download the Splunk Enterprise package for macOS.

  1. On the Splunk Enterprise Downloads page, select the macOS platform from the available options. It should be pre-selected based on your operating system.

  2. Choose the .tgz file format for the latest stable version of Splunk Enterprise. As of this writing, the latest version is 9.2.1.

  3. Copy the provided download link or command. You will use this link to download the package via the command line in the next step.

Step 3: Open Terminal and Navigate to the Download Directory

To download and install Splunk Enterprise, you will need to use the Terminal application on your Mac.

  1. Open the Terminal application. You can find it in the "Applications" folder under "Utilities" or by using Spotlight search (press Command + Space and type "Terminal").

  2. Once the Terminal window opens, navigate to the directory where you want to download the Splunk package. You can use the cd command followed by the directory path. For example, to navigate to the Downloads folder, type:

  3. cd ~/Downloads

  4. Press Enter to execute the command and change the current directory.

Step 4: Download the Splunk Package

Now that you are in the desired download directory, you can use the curl command to download the Splunk package.

  1. In the Terminal window, type curl -0 --output <filename> followed by a space and paste the download link you copied earlier. For example:

  2. Press Enter to execute the command. The download process will start, and you will see the progress in the Terminal window.

  3. Once the download is complete, you can verify that the .tgz file is present in the current directory by using the ls command.

curl -0 --output  splunk-9.2.1-78803f08aabb-darwin-64.tgz "https://download.splunk.com/products/splunk/releases/9.2.1/osx/splunk-9.2.1-78803f08aabb-darwin-64.tgz"

Step 5: Create a Dedicated User for Splunk (Optional)

Although not mandatory, it is a good practice to create a dedicated user for running Splunk. This helps to isolate Splunk's processes and enhances security. To create a new user, follow these steps:

In the Terminal, type the following commands, pressing Enter after each line: These commands create a new user account named "splunk" with a home directory.

/Users/splunk
sudo dscl . -create /Users/splunk
sudo dscl . -create /Users/splunk UserShell /bin/bash
sudo dscl . -create /Users/splunk RealName "Splunk User"
sudo dscl . -create /Users/splunk UniqueID 1001
sudo dscl . -create /Users/splunk PrimaryGroupID 1001
sudo dscl . -create /Users/splunk NFSHomeDirectory /Users/splunk

Set a password for the newly created user by typing: You will be prompted to enter and confirm the password.

sudo dscl . -passwd /Users/splunk

Step 6: Extract the Splunk Package

Now that you have downloaded the Splunk package, you need to extract its contents.

  1. In the Terminal, ensure that you are in the directory where the .tgz file was downloaded (e.g., ~/Downloads).

  2. Type the following command to extract the package: This command extracts the contents of the .tgz file into a new directory named splunk in the current location.

tar -xzvf splunk-9.2.1-78803f08aabb-darwin-64.tgz

Step 7: Move the Splunk Directory

To keep your file system organized and make Splunk accessible system-wide, it's recommended to move the extracted splunk directory to the /Applications directory.

  1. In the Terminal, type the following command: This command moves the splunk directory to the /Applications directory, which is the standard location for installing applications on macOS.

  2. You may be prompted to enter your macOS user password to authorize the move operation.

sudo mv splunk /Applications/

Step 8: Change Ownership of the Splunk Directory (Optional)

If you created a dedicated "splunk" user earlier, it's a good idea to change the ownership of the Splunk directory to that user. This ensures that the Splunk processes run under the correct user account.

In the Terminal, type the following command: This command changes the ownership of the /Applications/splunk directory and all its contents to the "splunk" user and the "staff" group.

sudo chown -R splunk:staff /Applications/splunk

Step 9: Start Splunk

Now that Splunk is installed, you can start the Splunk service.

If you created a dedicated "splunk" user, switch to that user by typing: This command switches the current user to "splunk".

sudo su splunk

Navigate to the Splunk installation directory:

cd /Applications/splunk/bin

Start Splunk by running the following command: This command initiates the Splunk startup process. You will be prompted to accept the license agreement and create an admin username and password.

./splunk start

Follow the on-screen instructions to complete the initial setup. Make sure to remember the admin credentials you set up, as you will need them to access the Splunk web interface.

Step 10: Access the Splunk Web Interface

Once Splunk has started successfully, it gives you the access link at the end. open a web browser and navigate to http://localhost:8000. Log in using the admin credentials you created during the initial setup.

Congratulations! You have now successfully installed Splunk Enterprise on your Mac using the .tgz file. You can start exploring Splunk's various features and capabilities.

Remember to configure your firewall and open the necessary ports as mentioned in the network prerequisites section to ensure proper communication between Splunk components and allow access to the Splunk web interface.

If you encounter any issues during the installation process or have specific requirements, refer to the official Splunk documentation or seek assistance from the Splunk community forums.

Administrative Commands for Beginners

Now that you have successfully installed Splunk Enterprise on your Mac, let's explore a few essential administrative commands that will help you manage your Splunk installation. These commands are executed using the Splunk command-line interface (CLI) and provide a way to control and monitor your Splunk instance.

Before diving into the commands, make sure you are in the Splunk installation directory. Open a Terminal window and navigate to the Splunk bin directory:

cd /Applications/splunk/bin

1. Start Splunk

To start your Splunk instance, use the start command:

./splunk start

This command starts all the necessary Splunk processes and services. You will see output indicating the status of each process as it starts up.

2. Stop Splunk

To stop your Splunk instance gracefully, use the stop command:

./splunk stop

This command initiates a clean shutdown of all Splunk processes and services. It may take a few moments for all processes to terminate.

3. Restart Splunk

If you need to restart your Splunk instance, you can use the restart command:

./splunk restart

This command is equivalent to running stop followed by start. It's useful when you've made configuration changes that require a restart to take effect.

4. Check Splunk Status

To check the current status of your Splunk instance, use the status command:

./splunk status

This command displays information about the running Splunk processes, including the process IDs and uptime.

5. View Splunk Version

To view the version of Splunk Enterprise installed on your system, use the version command:

./splunk version

This command displays the Splunk version number, build number, and other relevant version information.

6. Manage Splunk Services

Splunk Enterprise runs several services, such as the Splunk web interface and the Splunk indexing service. You can manage these services individually using the enable and disable commands.

To enable a Splunk service, use the enable command followed by the service name. For example, to enable the Splunk web interface:

./splunk enable web

To disable a Splunk service, use the disable command followed by the service name. For example, to disable the Splunk indexing service:

./splunk disable indexing

Note that enabling or disabling services may require a restart of Splunk for the changes to take effect.

7. Access Splunk Help

Splunk provides a built-in help system that you can access from the command line. To view the available commands and their descriptions, use the help command:

./splunk help

This command displays a list of available Splunk commands along with a brief description of each command.

To get more detailed information about a specific command, use the help command followed by the command name. For example, to learn more about the start command:

./splunk help start

This command provides a detailed explanation of the start command, including its usage, options, and examples.

These are just a few of the many administrative commands available in Splunk Enterprise. As you become more familiar with Splunk, you can explore additional commands and options to customize and manage your Splunk installation effectively.

Remember to refer to the official Splunk documentation for a comprehensive list of commands and their usage. The documentation provides detailed information on each command, along with examples and best practices.

General Settings Configuration

After installing Splunk Enterprise on your Mac, it's important to review and configure the general settings to ensure optimal performance and security. The general settings cover various aspects of your Splunk installation, such as server name, management port, SSL configuration, and index settings. Let's take a look at some of the key settings and recommended changes.

To browse the General Settings from the console. Go to Settings -> Server Settings -> General Settings.

  1. Splunk Server Name: The server name is set to "Apples-MBP-2.local" in this demo. It's a good practice to change this to a meaningful name that reflects your Splunk server's purpose or environment. For example, you can set it to "splunk-prod-01" for a production instance or "splunk-dev-01" for a development instance.

  2. Management Port: The management port is set to 8089, which is the default port used by Splunk for internal communication between components. It's recommended to keep this port number as is unless you have a specific reason to change it.

  3. SSL Configuration: By default, SSL (HTTPS) is disabled for the Splunk web interface, which means that the communication between the web browser and Splunk server is not encrypted. It's highly recommended to enable SSL to protect sensitive data and prevent unauthorized access. To enable SSL, set the "Enable SSL (HTTPS) in Splunk Web?" option to "Yes" in the general settings.

  4. Web Port: The web port is set to 8000, which is the default port for accessing the Splunk web interface. If you have other applications running on this port or want to use a different port for Splunk web access, you can change it here. Make sure to choose a port number that is not already in use by other applications.

  5. Session Timeout: The session timeout is set to 1 hour (1h) by default. This means that if a user is inactive for more than 1 hour, their session will expire, and they will be required to log in again. You can adjust this value based on your security requirements. For example, you might want to set a shorter timeout for sensitive environments or a longer timeout for less critical systems.

  6. Pause Indexing If Free Disk Space Falls Below: This setting determines the minimum free disk space threshold for indexing. If the free disk space falls below the specified value (5000 MB in this case), Splunk will pause indexing to prevent running out of storage. It's important to set this value based on your available disk space and data volume. Make sure to monitor your disk usage regularly and adjust this setting as needed.

  7. KV Store Port: The KV Store port is set to 8191. Keep this port as is unless you have specific requirements or conflicts with other applications.

These are some of the key general settings to review and configure after installing Splunk Enterprise on your Mac. It's important to understand the purpose of each setting and make informed decisions based on your specific environment and requirements.

Splunk Health Check

After configuring the general settings, it's important to perform a health check on your Splunk Enterprise installation to ensure that it is running optimally and adhering to best practices. Splunk provides a built-in monitoring console that allows you to conduct a comprehensive health check of your Splunk instance.

To access the monitoring console, follow these steps:

  1. Log in to your Splunk web interface.

  2. Go to "Settings" and then "Monitoring Console."

  3. Go to "Health Check" and then click on the "Start" button.

The health check will run a series of tests to assess various aspects of your Splunk installation, including hardware specifications, system limits, and best practice adherence. Here are a few key areas to review:

  1. Hardware Specifications: The health check will compare your current hardware specifications against the recommended minimum requirements. For example, it will check if your physical memory meets the recommended 12 GB. If any specifications fall below the recommendations, you should consider upgrading your hardware to ensure optimal performance.

  2. System Limits: The health check will assess server limits, such as file descriptors and user limits. It will compare the current values against the recommended settings. If any limits are below the recommended values, you should adjust them accordingly. For example, increasing the user limits can help prevent resource exhaustion and improve Splunk's performance.

  3. Transparent Huge Pages: The health check will verify if transparent huge pages are disabled, which is a recommended best practice for Splunk. Transparent huge pages can cause performance issues and should be disabled. You can confirm this by running the command cat /sys/kernel/mm/transparent_hugepage/enabled in the terminal, which should return "never" if transparent huge pages are disabled.

By running the health check and addressing any identified issues or deviations from best practices, you can ensure that your Splunk installation is optimized for performance and stability. It's a good practice to perform health checks regularly, especially after making significant changes to your Splunk environment.

Uninstall Splunk on Mac

If you no longer need Splunk Enterprise on your Mac or want to start fresh with a new installation, you can uninstall Splunk using the following steps. Before proceeding, make sure you have backed up any important data or configurations that you want to keep.

Step 1: Stop Splunk

Before uninstalling Splunk, you need to stop all running Splunk processes and services.

  1. Open a Terminal window.

  2. Navigate to the Splunk installation directory: cd /Applications/splunk/bin

  3. Stop Splunk by running the following command: This command initiates a graceful shutdown of all Splunk processes and services. Wait for the command to complete.

./splunk stop

Step 2: Remove the Splunk Installation Directory

The main Splunk installation directory contains all the Splunk files and configurations. To uninstall Splunk, you need to remove this directory.

  1. In the Terminal, navigate to the parent directory of the Splunk installation: cd /Applications

  2. Remove the Splunk directory using the following command: This command removes the splunk directory and all its contents. You may be prompted to enter your macOS user password to authorize the removal.

sudo rm -rf splunk

Step 3: Remove the Splunk User and Group (Optional)

If you created a dedicated user and group for running Splunk, you can remove them as well.

  1. In the Terminal, run the following commands to remove the Splunk user and group: These commands remove the splunk user and the splunk group from the system.

sudo dscl . -delete /Users/splunk
sudo dscl . -delete /Groups/splunk

Step 4: Remove Splunk Symlinks (Optional)

If you created any symlinks or shortcuts to the Splunk executables, you should remove them as well.

  1. In the Terminal, run the following command to remove any Splunk symlinks in the /usr/local/bin

directory: This command removes the splunk symlink from the /usr/local/bin directory. If you created symlinks in other locations, make sure to remove them as well.

sudo rm /usr/local/bin/splunk

Step 5: Remove Splunk Preferences and Logs (Optional)

Splunk stores user preferences and logs in the user's home directory. If you want to completely remove all traces of Splunk from your system, you can delete these files as well.

  1. In the Terminal, run the following commands to remove Splunk preferences and logs: These commands remove the .splunk directory from your home directory and the Splunk-related directories from the /Library directory.

rm -rf ~/.splunk
rm -rf /Library/Application Support/Splunk
rm -rf /Library/Logs/Splunk

That's it! You have successfully uninstalled Splunk Enterprise from your Mac. All Splunk files, directories, and configurations have been removed from your system.

If you decide to reinstall Splunk in the future, you can follow the installation steps provided earlier in this guide.

Remember, if you have any custom configurations, dashboards, or data that you want to keep, make sure to back them up before uninstalling Splunk. You can export your configurations and data from the Splunk web interface or by using the relevant CLI commands.

Congratulations on completing the Splunk Enterprise installation and configuration process on your Mac! You now have a powerful tool at your disposal for collecting, searching, and analyzing machine-generated data. Remember to explore Splunk's extensive features, create insightful dashboards, and leverage the vibrant Splunk community for continuous learning and support. With Splunk, you can unlock the hidden value in your data and make informed decisions to drive your business forward. Happy Splunking, and may your data-driven journey be filled with success!

We hope this article helps understand the universal way to install Splunk Enterprise on any Non-Windows Platform (Mac & Linux). We are going to end this article for now, we will cover more information about the Splunk in the up coming articles. Please keep visiting thesecmaster.com for more such technical information. Visit our social media page on Facebook, Instagram,  LinkedInTwitterTelegramTumblr, & Medium and subscribe to receive information like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Tutorials

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe