It is estimated that over 95% of the world’s servers run the Linux operating system. As such it’s no surprise that a majority of Splunk installations happen on Linux machines.
Installing and running Splunk on a Linux server is a fast and easy process. There are several methods to conduct this install, including ways to automate and streamline the process for multiple installs. We will review all these concepts in this article.
All the packages referenced in this article are available to download for free.
Before we Begin…
There are some potential “gotchas” that can interfere with a successful installation. The most common one is file permissions, which often stems from installing Splunk as the wrong user. The splunk user should be added on the target system by running adduser splunk. You should then act as the splunk user by running su splunk. If the ‘su’ command is unavailable but you have sudo access, you can use sudo with the -u option to act as the splunk user. To do this, just preface all the install commands with sudo -u splunk. For example:
If acting as the splunk user | |
tar -xvzf splunk.tgz |
If NOT acting as the Splunk user | |
sudo -u splunk tar -xvzf splunk.tgz |
Ultimately, we want to ensure two things:
- The installation directory and all subdirectories are owned by the splunk user
- The splunk start command is run by the splunk user
If you make a mistake during installation, you can quickly fix directory ownership by running chown splunk:splunk -R /opt/splunk. You can change the user running the splunk process by acting as the splunk user and running /opt/splunk/bin/splunk restart.
How to Install Splunk on Linux
Step 1: Download a Splunk TAR archive.
On the system where Splunk will be installed, go to the target install directory (which is usually /opt/splunk). You can easily download Splunk using a command like this:
wget -O splunk.tgz "https://download.splunk.com/products/splunk/releases/9.0.3/linux/splunk-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz"
Step 2: Extract the archive into the installation directory.
Once downloaded, the archive should be extracted into the installation directory using the command tar -xvzf splunk.tgz.
You can also download RPM and DEB packages from Splunk’s website and use them for the installation. Once downloaded, simply run:
RPM |
rpm -i splunk.rpm |
DEB |
dpkg -i splunk.deb |
Step 3: Start Splunk by running the Splunk binary with the –accept-license flag.
/opt/splunk/bin/splunk start --accept-license
During startup, you will be prompted to create an admin user for this Splunk instance. If you wish to bypass this step, you can supply a password by using the flags –no-prompt and –seed-passwd, like this:
/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd P@ssw0rd
You can also instruct Splunk to create the password itself and print it to the screen, like this:
/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --gen-and-print-passwd
Use a Script for your Splunk installation.
Manually installing Splunk on multiple systems can be time intensive and laborious. It also increases the chance of human error. There are several options available to increase efficiency across multiple installs. Splunk installation can be scripted, with the script run on every machine requiring an install. Scripting should be customized for your environment and the tools you have available, but an example script might look something like this:
adduser splunk wget -O splunk.tgz "https://download.splunk.com/products/splunk/releases/9.0.3/linux/splunk-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz" sudo -u splunk tar -xvzf splunk.tgz -C /opt sudo -u splunk /opt/splunk/bin/splunk enable boot-start sudo -u splunk /opt/splunk/bin/splunk start --accept-license
Use Simultaneous Shells
There are several methods to issue commands to multiple remote hosts via simultaneous shells. One powerful solution is to use iTerm. Using this tool, you can open shells to all hosts that require Splunk installation, and then run the required installation commands once for all hosts, eliminating the time spent running the same commands multiple times.
Install Splunk on Linux in 3 Easy Steps
Installing Splunk on Linux is quick and easy, provided you avoid a few common pitfalls. Many elements of the install can be customized to meet the specific needs of your environment. Additionally, there are methods available to make the process more efficient, especially when conducting installs across multiple hosts. Once you’re done, you get to enjoy the benefits that come from leveraging Splunk’s powerful capabilities. Happy installing!
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below: