"This website is not affiliated with Splunk INC. and is not an authorized seller of Splunk products and services" 

                                                                                                     <  Back |HomeNext  >


  • Splunk  linux installation step by step instructions:


Step 1: Download Splunk from below link(64bit package if applicable)

http://www.splunk.com/goto/Download_4_2

Step2: To install Splunk Enterprise on a Linux system, expand the tar file into an appropriate directory using the tar command.
 To install into /opt/splunk, use the following command

tar xvzf splunk_package_name.tgz -C /opt

Step3: Verify that the file is readable and executable by the the Splunk user. If needed change access using below command

chmod 744 splunk_package_name.rpm

Step 4: install the Splunk RPM in the default directory /opt/splunk using below command

rpm -i splunk_package_name.rpm

To install Splunk in a different directory, use the --prefix flag:

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

Setp5:Accept license using below command

./splunk start --accept-license

Step6: Enable boot start

./splunk enable boot-start

You splunk is ready for use now :).You can access it now using your favourite browser.

Note:- Splunk is not compatible with internet explorer and having some known issues.For splunkplease use any other browser loke Mozilla or Google Chrome.Default splunk url for your installation will be  as below:

http://localhost:8000 
you can use hostname or ip address instead of localhost in above url.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


  • Splunk forwarder linux installation step by step (Redhat)


Step 1: Download Splunk Universal Forwarder:

 http://www.splunk.com/download/universalforwarder (64bit package if applicable!)

Step 2: Install Forwarder using below command

 rpm -i splunk_install_file.rpm    #replace splunk install file with downlaoded file name

 #Specify directory to install and Accept License

  su splunk -c "/opt/splunkforwarder/bin/splunk start --accept-license"   #replace your splunk installation path with your path

# Enable Splunk to start on boot

 /opt/splunkforwarder/bin/splunk enable boot-start -user splunk   #this enabled boot start

 # setup username and password

 su splunk -c "/opt/splunkforwarder/bin/splunk edit user admin -password <your new password> -auth admin:changeme"   #change default username and password

  #optional if you want to use the Deployment Server feature of your splunk server.  

 su splunk -c "/opt/splunkforwarder/bin/splunk set deploy-poll <ip:port>"   

/etc/init.d/splunk restart
  
Step 3: Enable Receiving input on the Index Server Configure the Splunk Index Server to receive data, either in the manager: Manager -> sending and receiving -> configure receiving -> new or via the CLI: /opt/splunk/bin/splunk enable listen 9997 Where 9997 (default) is the receiving port for Splunk Forwarder connections

Step 4: Configure Forwarder connection to Index Server: /opt/splunkforwarder/bin/splunk add forward-server hostname.domain:9997 (where hostname.domain is the fully qualified address or IP of the index server (like indexer.splunk.com), and 9997 is the receiving port you create on the Indexer: Manager -> sending and receiving -> configure receiving -> new)

Step 5: Test Forwarder connection: /opt/splunkforwarder/bin/splunk list forward-server

Step 6: Add Data: /opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app% Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data This will create a file: inputs.conf in /opt/splunkforwarder/etc/apps/search/local/ -- here is some documentation on inputs.conf: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/

Step 7 (Optional): Install and Configure UNIX app on Indexer and *nix forwarders: On the Splunk Server, go to Apps -> Manage Apps -> Find more Apps Online -> Search for ‘Splunk App for Unix and Linux’ -> Install the "Splunk App for Unix and Linux' Restart Splunk if prompted, Open UNIX app -> Configure Once you’ve configured the UNIX app on the server, you'll want to install the related Add-on: "Splunk Add-on for Unix and Linux" on the Universal Forwarder. Go to http://apps.splunk.com/ and find the "Splunk Add-on for Unix and Linux" (Note you want the ADD-ON, not the App - there is a difference!). Copy the contents of the Add-On zip file to the Universal Forwarder, in: /opt/splunkforwarder/etc/apps/. If done correctly, you will have the directory "/opt/splunkforwarder/etc/apps/Splunk_TA_nix" and inside it will be a few directories along with a README & license files. Restart the Splunk forwarder (/opt/splunkforwarder/bin/splunk restart) Note: The data collected by the unix app is by default placed into a separate index called ‘os’ so it will not be searchable within splunk unless you either go through the UNIX app, or include the following in your search query: “index=os” or “index=os OR index=main” (don’t paste doublequotes)

Step 8 (Optional): Customize UNIX app configuration on forwarders: Look at inputs.conf in /opt/splunkforwarder/etc/apps/unix/local/ and /opt/splunkforwarder/etc/apps/unix/default/ The ~default/inputs. path shows what the app can do, but everything is disabled. The ~local/inputs.conf shows what has been enabled – if you want to change polling intervals or disable certain scripts, make the changes in ~local/inputs.conf.

Step 9 (Optional): Configure File System Change Monitoring (for configuration files):http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Monitorchangestoyourfilesystem

Note that Splunk also has a centralized configuration management server called Deployment Server. This can be used to define server classes and push out specific apps and configurations to those classes. So you may want to have your production servers class have the unix app configured to execute those scripts listed in ~local/inputs at the default values, but maybe your QA servers only need a few of the full stack, and at longer polling intervals. Using Deployment Server, you can configure these classes, configure the app once centrally, and push the appropriate app/configuration to the right systems.




Courtesy: http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux.html


                                                                                                 <  Back |HomeNext  >

Comment Box is loading comments...