How to set up Splunk on Ubuntu 16.04 and Debian 9.4

Created by Jordy Leffers at 06-12-2017 11:05:35 +0100

Splunk service is a monitoring and analytics software technology that works to make sense of machine generated data from servers, applications, drivers etc. It was developed in 2002-2003, to provide a search engine for log files, and released in 2004. Ever since it has helped administrators to analyse their systems. Installing Splunk is very easy and quick, in this tutorial we'll go over the process step by step.

Before we start, we need a Linux Ubuntu installation. We'll skip that step in this tutorial since you can easily get a default linux installation on one of the containers on the site.

This tutorial is based on the cloud containers created on the page. This means that you are by default the root user, so all of the commands below don't make use of sudo. If however, you're not the root user on your system, you'll have to add "sudo" in front of the commands found in the guide below.

You can download Splunk on their website. After clicking the .deb download, the file will download to your pc, if you want to download the latest version through command line you'll need to use the wget option on the right side of the page. Or use the following command for version 7.1.2 (currently the latest): 

wget -O splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb ''

We can now install the .deb file. Note that if you have downloaded a different version, you will have to change this command a little:

dpkg -i splunk-7.1.2-a0c72a66db66-linux-2.6-amd64.deb

Set up Splunk to run at boot time. Navigate to Splunk's bin folder and run the following script:

cd /opt/splunk/bin ./splunk enable boot-start

Use space to skip through the software license agreement, and agree using y

You'll be then prompted to set up a password, remember this well as you'll need it to log in to the web interface later on.

You can now start, stop and check Splunk's status using the following commands:

service splunk start service splunk stop service splunk status

When starting Splunk, you'll get a message it's available at host_name:8000. However, this should be your domain or public IP address and not necessarily the host name.

Navigate, in your browser, to your domain/ip followed by :8000. Like this:

You should now be redirected to Splunk's web interface, where you can log in using the username admin and the password you set at install.

Congratulations, you've just set up Splunk!


Comments are turned off.