Skip to content
Article

How to Install Splunk on Linux (+Screenshots)

 

Written by: The Kinney Group Team | Last Updated:

 
January 13, 2023
 
install splunk on linux
 
 

Originally Published:

 
January 13, 2023

It is estimated that over 95% of the world’s servers run the Linux operating system. As such it’s no surprise that a majority of Splunk installations happen on Linux machines. 

Installing and running Splunk on a Linux server is a fast and easy process. There are several methods to conduct this install, including ways to automate and streamline the process for multiple installs. We will review all these concepts in this article. 

All the packages referenced in this article are available to download for free.

New call-to-action

Before we Begin… 

There are some potential “gotchas” that can interfere with a successful installation. The most common one is file permissions, which often stems from installing Splunk as the wrong user. The splunk user should be added on the target system by running adduser splunk.  You should then act as the splunk user by running su splunk.  If the ‘su’ command is unavailable but you have sudo access, you can use sudo with the -u option to act as the splunk user. To do this, just preface all the install commands with sudo -u splunk. For example: 

If acting as the splunk user 
tar -xvzf splunk.tgz 
If NOT acting as the Splunk user 
sudo -u splunk tar -xvzf splunk.tgz

Ultimately, we want to ensure two things:

  • The installation directory and all subdirectories are owned by the splunk user 
  • The splunk start command is run by the splunk user 

If you make a mistake during installation, you can quickly fix directory ownership by running chown splunk:splunk -R /opt/splunk. You can change the user running the splunk process by acting as the splunk user and running /opt/splunk/bin/splunk restart.   

How to Install Splunk on Linux

Step 1: Download a Splunk TAR archive

On the system where Splunk will be installed, go to the target install directory (which is usually /opt/splunk). You can easily download Splunk using a command like this: 

wget -O splunk.tgz "https://download.splunk.com/products/splunk/releases/9.0.3/linux/splunk-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz" 

Step 2: Extract the archive into the installation directory.

Once downloaded, the archive should be extracted into the installation directory using the command tar -xvzf splunk.tgz. 

You can also download RPM and DEB packages from Splunk’s website and use them for the installation. Once downloaded, simply run: 

RPM 
rpm -i splunk.rpm 
DEB 
dpkg -i splunk.deb  

Step 3: Start Splunk by running the Splunk binary with the –accept-license flag. 

/opt/splunk/bin/splunk start --accept-license 

During startup, you will be prompted to create an admin user for this Splunk instance. If you wish to bypass this step, you can supply a password by using the flags –no-prompt and –seed-passwd, like this: 

/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd P@ssw0rd 

You can also instruct Splunk to create the password itself and print it to the screen, like this: 

/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --gen-and-print-passwd 

Use a Script for your Splunk installation.

Manually installing Splunk on multiple systems can be time intensive and laborious. It also increases the chance of human error. There are several options available to increase efficiency across multiple installs. Splunk installation can be scripted, with the script run on every machine requiring an install. Scripting should be customized for your environment and the tools you have available, but an example script might look something like this:  

adduser splunk 

wget -O splunk.tgz "https://download.splunk.com/products/splunk/releases/9.0.3/linux/splunk-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz" 
sudo -u splunk tar -xvzf splunk.tgz -C /opt 
sudo -u splunk /opt/splunk/bin/splunk enable boot-start 
sudo -u splunk /opt/splunk/bin/splunk start --accept-license 

Use Simultaneous Shells 

There are several methods to issue commands to multiple remote hosts via simultaneous shells. One powerful solution is to use iTerm. Using this tool, you can open shells to all hosts that require Splunk installation, and then run the required installation commands once for all hosts, eliminating the time spent running the same commands multiple times. 

Use Simultaneous Shells to install splunk on linux

Install Splunk on Linux in 3 Easy Steps

Installing Splunk on Linux is quick and easy, provided you avoid a few common pitfalls. Many elements of the install can be customized to meet the specific needs of your environment. Additionally, there are methods available to make the process more efficient, especially when conducting installs across multiple hosts. Once you’re done, you get to enjoy the benefits that come from leveraging Splunk’s powerful capabilities. Happy installing! 

If you found this helpful…

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:

New call-to-action

Helpful? Don't forget to share this post!
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on email
Email
Share on twitter
Twitter
Share on facebook
Facebook