Getting started with Splunk is easy and straightforward (mostly) — especially if you’ve already made your architecture decisions. For the purpose of this tutorial, we’ll assume you’ve already checked Splunk’s documentation on system requirements. It’ll also be helpful to keep the full Splunk installation manual handy.
Note: If you’re using AWS for your Splunk deployment, Splunk offers a Splunk Enterprise Amazon Machine Image (AMI) that installs to AWS with one click. There are also containerized options for Splunk for Docker and Kubernetes.
Let’s dive into installing Splunk Enterprise
Installing Splunk Enterprise on Linux
You can download Splunk Enterprise for Linux from the Splunk website (you’ll need a free account).
Once you select your operating system from the tabs, and choose the package option you prefer (.deb, .tgz, or .rpm), you can simply click to download the file. Once you click, however, you’ll also be directed to a page with instructions for downloading directly from the command line using wget (filename below will be different depending on the version available at the time you click):
wget -O splunk-9.0.0-6818ac46f2ec-linux-2.6-x86_64.rpm https://download.splunk.com/products/splunk/releases/9.0.0/linux/splunk-9.0.0-6818ac46f2ec-linux-2.6-x86_64.rpm
Why doesn’t Splunk put this on the page where you choose your download? A great question. Nobody knows. Maybe Buttercup? We’ll have to ask them next year at .conf23.
Once the .rpm has downloaded successfully, you can install it with this command:
rpm -i splunk-9.0.0-6818ac46f2ec-linux-2.6-x86_64.rpm
(Again, your file name may be different depending on the available version at the time of download.)
First, we’ll want to make sure we can run Splunk as the splunk user — the install should have created that user and group, but you can verify with this command:
cut -d: -f1 /etc/passwd
This will display a list of local users. If you don’t see splunk in the list, create this user and group with the following:
adduser splunk groupadd splunk
There are limits on the Linux platform known as ulimits that impact maximum file size, number of open files, user processes, and data segment sizes. On the command line, type:
This will present a list of limits that you can verify against your settings. Need to adjust your settings to meet/exceed? Edit the /etc/system/system.conf file and adjust the following settings:
[Manager] DefaultLimitFSIZE=-1 DefaultLimitNOFILE=64000 DefaultLimitNPROC=16000
I like big pages and I cannot lie…
Some Linux distros enable the transparent huge pages feature by default. Splunk recommends this feature be disabled due to performance hits in Splunk Enterprise (30%+). A quick Google search will help you find the process for doing this for your Linux distribution and version.
Starting Splunk on Linux
Once you’ve installed and tweaked your settings, you’re ready to fire Splunk up for the first time! First, make sure you’re operating as the Splunk user:
su - splunk
Then, from the /opt/splunk/bin directory, type the following:
Want to skip the license agreement? You can also start Splunk by typing ./splunk start –accept-license to get to the good stuff without all the bothersome “reading” the kids are into these days.
Start on Reboot
Out of the box, Splunk doesn’t start when the server is rebooted. You can, however, have Splunk create a script that will enable this functionality by executing an “enable boot-start” command:
[root@ip-172-31-28-164 ~]# cd /opt/splunk/bin [root@ip-172-31-28-164 bin]# ./splunk enable boot-start -user splunk Init script installed at /etc/init.d/splunk. Init script is configured to run at boot.
You’ll want to edit the /etc/init.d/splunk file and add USER=splunk after the RETVAL entry:
#!/bin/sh # # /etc/init.d/splunk # init script for Splunk. # generated by 'splunk enable boot-start'. # # chkconfig: 2345 90 60 # description: Splunk indexer service # RETVAL=0 USER=splunk . /etc/init.d/functions …
It’s important to specify -user splunk when you execute the enable boot-start command and implement this change to init.d or you’ll end up with file ownership headaches.
Stopping Splunk on Linux
Best practices dictate that you should stop Splunk from the command line before rebooting the server:
Ready to Learn More?
Installing Splunk, of course, is just the beginning! Ready to learn more about getting the most from Splunk? Check out other entries in our Splunk 101 content. Want to take Splunk to the next level in your organization but need some help? We’d love to chat!