Splunk Enterprise Install and Setup

We’re going to cover everything you need to know to get up and running with Splunk.

NOTE - You should just swap in your own specific information In any place where we use an exact version number, IP address, or home directory path.

Install Splunk Enterprise

NOTE - We’re going to assume that you login to your server using a regular user account ( ex: “user1” ) and that you want to run splunk using a dedicated user account ( ex: “splunk” ). This is optional. You could run splunk as any account you like and you could also initially login as the dedicated splunk user if you like.

Copy over the tgz file like this:

scp Downloads/splunk-8.2.2.1-ae6821b7c64b-Linux-x86_64.tgz 192.168.3.214:/home/user1

Login to the server where you will be installing Splunk and unpack the tgz file. Once unpacked, copy it over to the opt directory.

tar xvfz splunk-8.2.2.1-ae6821b7c64b-Linux-x86_64.tgz
sudo mv splunk /opt

Create a new user dedicated user to run splunk as. Also recursively chown the splunk directory. You could skip doing this if you want but it is recommended.

sudo adduser splunk
sudo chown -R splunk:splunk /opt/splunk

Add the new splunk user to the sudo group.

sudo vi /etc/group

...
sudo:x:27:user1,splunk
...
...

Become the splunk user. You will want to make sure that you are logged in as this user before starting for the first time and before enabling in systemd.

sudo su - splunk

Setup the SPLUNK_HOME and PATH environment variables for the current shell while also adding it to your bashrc file to make it persistent.

export SPLUNK_HOME=/opt/splunk
export PATH=$PATH:$SPLUNK_HOME/bin

echo export SPLUNK_HOME=/opt/splunk >> ~/.bashrc
echo export PATH=$PATH:$SPLUNK_HOME/bin >> ~/.bashrc

Perform an initial startup ( accept license and create admin account ). Make sure you are still logged in as the dedicated user.

splunk start --accept-license

This will prompt you to enter a new user and password which will be used to login to the Splunk GUI.

• enter user
• enter password

Splunk should now be reachable here ( swap in your IP or hostname ):

http://192.168.3.214:8000

Enable Splunk start on boot with systemd. Splunk needs to be stoppeed first. Run this while still logged in as the dedicated splunk user.

splunk stop
sudo /opt/splunk/bin/splunk enable boot-start -systemd-managed 1

Now you will see it listed with this command:

systemctl list-unit-files | grep -i splunk

You can now start and stop it with systemd like this:

sudo systemctl start Splunkd
sudo systemctl stop Splunkd

Install Splunk Enterprise Using a Deb Package

Instead of unpacking the tgz file manually, you can also use the deb package ( or RPM package which should be the same but we aren’t covering in this section ). It makes things slightly easier but leaves so much undone that it doesn’t seem worth it to me.

Using the deb package will do the following:

• Create a new service user called “splunk”
• Unpack all splunk files to /opt
• Make sure the files are owned by splunk

What it does NOT do:

• Start the service
• Create an admin user to login to Splunk
• Accept the license
• Add splunk user to sudo group
• Setup SPLUNK_HOME and PATH env variables
• Start splunk on boot with systemd

Copy over the deb package like this:

scp Downloads/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-amd64.deb 192.168.3.217:/home/user1

You can install the package like this:

sudo apt update
sudo dpkg -i splunk-8.2.2.1-ae6821b7c64b-linux-2.6-amd64.deb

Run Splunk as It’s Own Non-root User After It is Already Setup

If Splunk is already installed and setup it isn’t too late to configure it to run as another user. You can change the user that splunk runs as using the following.

Create a new dedicated user and chown the existing splunk directory:

sudo adduser splunk
sudo chown -R splunk:splunk /opt/splunk

First, make sure Splunk is stopped.

sudo systemctl stop Splunkd

Next, disable it from starting on boot.

sudo /opt/splunk/bin/splunk disable boot-start

Then, manually remove the following file. You shouldn’t have to do this but I did.

sudo rm /etc/systemd/system/Splunkd.service

Now you can enable it to startup on boot using systemd like this.

sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 1

Start it back up like this.

sudo systemctl start Splunkd

Verify that it is running as the user you want.

ps -ef |grep -i splunk

Setup the SPLUNK_HOME and PATH environment variables for the splunk user.

sudo su - splunk

export SPLUNK_HOME=/opt/splunk
export PATH=$PATH:$SPLUNK_HOME/bin

echo export SPLUNK_HOME=/opt/splunk >> ~/.bashrc
echo export PATH=$PATH:$SPLUNK_HOME/bin >> ~/.bashrc