"This website is not affiliated with Splunk INC. and is not an authorized seller of Splunk products and services"
- Splunk linux installation step by step instructions:
Step 1: Download Splunk from below link(64bit package if applicable)
Step2: To install Splunk Enterprise on a Linux system, expand the tar file into an appropriate directory using the tar command.
To install into /opt/splunk, use the following command
tar xvzf splunk_package_name.tgz -C /opt
Step3: Verify that the file is readable and executable by the the Splunk user. If needed change access using below command
chmod 744 splunk_package_name.rpm
Step 4: install the Splunk RPM in the default directory /opt/splunk using below command
rpm -i splunk_package_name.rpm
To install Splunk in a different directory, use the --prefix flag:
rpm -i --prefix=/opt/new_directory splunk_package_name.rpm
Setp5:Accept license using below command
./splunk start --accept-license
Step6: Enable boot start
./splunk enable boot-start
You splunk is ready for use now :).You can access it now using your favourite browser.
Note:- Splunk is not compatible with internet explorer and having some known issues.For splunkplease use any other browser loke Mozilla or Google Chrome.Default splunk url for your installation will be as below:
you can use hostname or ip address instead of localhost in above url.
- Splunk forwarder linux installation step by step (Redhat)
Step 1: Download Splunk Universal Forwarder:
http://www.splunk.com/download/universalforwarder (64bit package if applicable!)
Step 2: Install Forwarder using below command
rpm -i splunk_install_file.rpm #replace splunk install file with downlaoded file name
#Specify directory to install and Accept License
su splunk -c "/opt/splunkforwarder/bin/splunk start --accept-license" #replace your splunk installation path with your path
# Enable Splunk to start on boot
/opt/splunkforwarder/bin/splunk enable boot-start -user splunk #this enabled boot start
# setup username and password
su splunk -c "/opt/splunkforwarder/bin/splunk edit user admin -password <your new password> -auth admin:changeme" #change default username and password
#optional if you want to use the Deployment Server feature of your splunk server.
su splunk -c "/opt/splunkforwarder/bin/splunk set deploy-poll <ip:port>"
Step 3: Enable Receiving input on the Index Server Configure the Splunk Index Server to receive data, either in the manager: Manager -> sending and receiving -> configure receiving -> new or via the CLI: /opt/splunk/bin/splunk enable listen 9997 Where 9997 (default) is the receiving port for Splunk Forwarder connections
Step 4: Configure Forwarder connection to Index Server: /opt/splunkforwarder/bin/splunk add forward-server hostname.domain:9997 (where hostname.domain is the fully qualified address or IP of the index server (like indexer.splunk.com), and 9997 is the receiving port you create on the Indexer: Manager -> sending and receiving -> configure receiving -> new)
Step 5: Test Forwarder connection: /opt/splunkforwarder/bin/splunk list forward-server
Step 6: Add Data: /opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app% Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data This will create a file: inputs.conf in /opt/splunkforwarder/etc/apps/search/local/ -- here is some documentation on inputs.conf: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/
Step 7 (Optional): Install and Configure UNIX app on Indexer and *nix forwarders: On the Splunk Server, go to Apps -> Manage Apps -> Find more Apps Online -> Search for ‘Splunk App for Unix and Linux’ -> Install the "Splunk App for Unix and Linux' Restart Splunk if prompted, Open UNIX app -> Configure Once you’ve configured the UNIX app on the server, you'll want to install the related Add-on: "Splunk Add-on for Unix and Linux" on the Universal Forwarder. Go to http://apps.splunk.com/ and find the "Splunk Add-on for Unix and Linux" (Note you want the ADD-ON, not the App - there is a difference!). Copy the contents of the Add-On zip file to the Universal Forwarder, in: /opt/splunkforwarder/etc/apps/. If done correctly, you will have the directory "/opt/splunkforwarder/etc/apps/Splunk_TA_nix" and inside it will be a few directories along with a README & license files. Restart the Splunk forwarder (/opt/splunkforwarder/bin/splunk restart) Note: The data collected by the unix app is by default placed into a separate index called ‘os’ so it will not be searchable within splunk unless you either go through the UNIX app, or include the following in your search query: “index=os” or “index=os OR index=main” (don’t paste doublequotes)
Step 8 (Optional): Customize UNIX app configuration on forwarders: Look at inputs.conf in /opt/splunkforwarder/etc/apps/unix/local/ and /opt/splunkforwarder/etc/apps/unix/default/ The ~default/inputs. path shows what the app can do, but everything is disabled. The ~local/inputs.conf shows what has been enabled – if you want to change polling intervals or disable certain scripts, make the changes in ~local/inputs.conf.
Step 9 (Optional): Configure File System Change Monitoring (for configuration files):http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Monitorchangestoyourfilesystem
Note that Splunk also has a centralized configuration management server called Deployment Server. This can be used to define server classes and push out specific apps and configurations to those classes. So you may want to have your production servers class have the unix app configured to execute those scripts listed in ~local/inputs at the default values, but maybe your QA servers only need a few of the full stack, and at longer polling intervals. Using Deployment Server, you can configure these classes, configure the app once centrally, and push the appropriate app/configuration to the right systems.