• Home
  • |
  • Blog
  • |
  • Step-By-Step Procedure To Install Splunk On Linux Server
How to Install Splunk on Linux Server

If you have ever been part of any organization, you know how many assets an organization has. It’s a lot right: laptops, desktops, servers, access points, network switches, routers, firewalls, telephones, printers, biometrics, cameras, CC TVs, and these a tons of applications, services, software, interfaces to operate the organization. Let’s take a small device like Biometric, which captures access information whenever someone swipes to log in or log out. Imagine, just a small device like Biometric generates how much data. Then, imagine the amount of data will be generated by all the assets in an organization. The biggest challenge comes that how to process the data? How to extract the required information for a large chunk of data? How to analyze the data to extract. The solution to this problem is lice in a good analytics tool. Splunk is one of the popular tools in the data analytics landscape. However, you should need to install and configure Splunk to make use of it. Let’s see how to install Splunk on a Linux platform.

What Is Splunk?

Splunk is a log analyzer tool that takes all the machine data as input and lets the analyst query the data on its web interface. Splunk is most likely used to search, analyze, monitor, and visualize the machine data generated by workstations, servers, applications, appliances, sensors, and other assets. Splunk application is developed by Splunk Inc., an American technology company based in San Francisco, California. Splunk has a variety of products for different applications. Check out the products page for more information.

Components Of Splunk:

All right, Before we jump into the installation, it is much required to know about its architecture. Let’s learn about Splunk architecture. So we’re going to take an approach to just look at it from a high level.

Splunk has three core components: Indexer, Forwarder, Search head. So let’s jump right into that.

  1. Splunk Indexer: Splunk indexer is the secret sauce that actually puts your data or your log files in a searchable fashion. The index is what’s going to receive the log files and index those logs so that they can be searched.
  2. Splunk Head: Search head is a user interface where the Splunk users, and mostly even the administrators, are going to be using and configuring. This will be the graphical interface where you’re going to go in, write your queries, create message alerts, do a lot of the Splunk administration, and also, it’s going to be what you think is really the Splunk environment. So you’re going to be interacting with a search head and the search environment on a daily basis.
  3. Forwarder: Forwarder is what helps us get our data from our distributed environment into those Indexers. Forwarder as an agent that’s going to run on devices. It is a small application running on a server, virtual machine, or device that takes these specific log files and sends them to our indexer.

The Architecture Of Splunk:

Splunk Standalone Deployment

Let’s look at an architectural view of that. So, in architecture, let’s say that we have some different servers running all around our data center. We can actually have our forwarders installed on each one of those machines, and then we have our indexers. Say we have two indexers in our environment because we have a very large environment or because we want to have fault tolerance. And then only one search head. So you can have multiple search heads. In our environment, we’re only going to have one here. So how does this work from an architecture perspective? Your forwarders are sending data to your indexers, and then whenever a search is created, you’re actually looking at that. Now, in our environment here that we’re going through in the development, everything is all in one standalone system, but as your architecture and as your system grows, it’s actually going to get more complex, and you’ll have distributed different functionality for, you know, a server dedicated to a search head, maybe two servers dedicated to your indexer, and then multiple, maybe even hundreds of thousands of different forwarders installed all-around your data center or all-around your IT environment.

How Does Splunk Licensing Work?

Well, let’s talk a little bit about Splunk licensing. So Splunk is actually licensed by the ingest rate, cost per terabyte of how much you’re ingesting at a time. Splunk has a free version. That free version is capped at around 500 MB a day, and there’s certain functionality you wouldn’t be able to have. You can actually take advantage of that Splunk free license and be able to get through searching and looking at the different components within the Splunk environment. Now, what’s the majority of enterprises are running is this Splunk Enterprise. So the amount of data and the cost for that’s going to vary, but it’s really going to come down to how many gigabytes per day, right? Like how many gigabytes are you doing? Are you doing 100, 2 TB? Just all going to depend. You have to work with a Splunk sales representative at that time. For more information about Types of Splunk licenses and the license usage report, view the Admin Manual.

Access License Usage Report:

On the license master:

  1. Navigate to Settings > Licensing.
  2. Select Usage report.

On the monitoring console:

  1. Navigate to Settings > Monitoring Console.
  2. Navigate to Indexing > License Usage.
  3. Select License Usage.

How To Install Splunk On Linux Server?

Now that we’ve covered how Splunk is licensed and we have a high-level view of the architecture, it’s time to get hands-on and start building out our own Splunk development environment. Splunk supports multiple OS platforms. You can install Splunk on Windows, mac, and all the popular Linux distributions. This demo will show you how to install Splunk on a Linux server. We have chosen Ubuntu distribution. Of-course, you can install it on any Linux platform. Let’s see how to install Splunk on Linux Ubuntu.

We are going to install a single instance of Splunk Enterprise on Ubuntu that plays the role of both Indexer and Search Head. You need to download Splunk Enterprise to install.

How to Install Splunk on Linux Server?

  1. Download Splunk on Ubuntu from the command line

    Once you complete the free registration form, Splunk will allow you to download the Splunk Enterprise. Anyways, you can download the installer either directly from the browser or through the command line. It is easy to download Splunk through the command line. Run this command to download Splunk.


    $ wget -O splunk-8.2.2.1-ae6821b7c64b-linux-2.6-amd64.deb ‘https://download.splunk.com/products/splunk/releases/8.2.2.1/linux/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-amd64.deb’

    Download Splunk on Ubuntu from command line

  2. Install Splunk Enterprise on Ubuntu

    After the download, enable the execution permission using the chmod +x command. Then install the Splunk package using dpkg -i commend.

    $ chmod +x splunk-8.2.2.1-ae6821b7c64b-linux-2.6-amd64.deb

    Debian based Linux:
    $ dpkg -i splunk-8.2.2.1-ae6821b7c64b-linux-2.6-amd64.deb

    Red Hat based Linux:
    $ rpm -i splunk-8.2.2.1-ae6821b7c64b-linux-2.6-amd64.deb

    Install Splunk Enterprise on Ubuntu

  3. Set up Splunk for the first time

    Check the status using the below command. For the first time, Splunk will ask to accept the license agreement and set up an admin account.

    $ sudo /opt/splunk/bin/splunk status

    Or

    $ cd /opt/splunk/bin
    $ sudo ./splunk status

    Set up Splunk for the first time

  4. Start Splunk services

    Start the Splunk Services using this command.

    $ sudo /opt/splunk/bin/splunk start

    Or

    $ cd /opt/splunk/bin
    $ sudo ./splunk start

    Start Splunk services

  5. Accept license aggrement and create admin account to login to the splunk console

    Accept license aggrement and create admin account to login to the splunk console

  6. Splunk service started on port 8000

    After accepting the license and configuring the admin account, Splunk Enterprise service will get started. You will see the login page URL at the end of the prompt.

    Splunk service started on port 8000

  7. Check the Splunk port is listening on ubuntu

    Verify that port 8000 is listening on the server using the netstat command.


    $ netstat -ntpl

    Check the Splunk port is listening on ubuntu

  8. Splunk service start and stop

    Commends to start stop, restart and check the status of Splunk service.


    $ sudo /opt/splunk/bin/splunk status
    $ sudo /opt/splunk/bin/splunk stop
    $ sudo /opt/splunk/bin/splunk start

    Splunk service start and stop

  9. Get the ip address of Ubuntu

    Note down the IP address or hostname of the server.


    $ sudo ifconfig

    Get the ip address of Ubuntu

  10. Splunk login page

    You can access the Splunk page on the browser using the IP or hostname with port


    https://IP:port


    https://192.168.0.111:8000

    Splunk login page

  11. Splunk sign in window

    This is the first screen you will see after logging in for the first time. Click on the Search & Reporting App located at the left-hand side in the web console to submit search queries.

    Splunk sign in window

This completes the installation of Splunk on the Linux server.

We hope this post will help you learn How to Install Splunk on Linux Server. Thanks for reading this post. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.