How to Install Splunk 9.x on Ubuntu
Lets take a look at the steps needed to install Splunk 9.x on a Ubuntu Linux server. There are more best practices you can follow during the install. Make sure to check Splunk Docs for more best practices. This should be a good place to start.
Prerequisites
You will need to have sudo or root privileges to run commands and install packages.
Step 1: Downloading Splunk
- Go to the Splunk website and navigate to the Splunk Download page.
- Sign up or log in to the page and access the “Choose Your Download” section.
- Click on the “Linux” tab and start the download of the
.tgzfile. - Cancel the download and locate the “Command Line (wget)” option under the “Useful Tools” box.
- Copy the
wgetcommand provided, which should look similar to:wget -O splunk-<version>.tgz "https://download.splunk.com/splunk-<version>.tgz"
Step 2: Installing wget
To download Splunk using the wget command, we need to ensure that the wget utility is installed. Run the following command to install it:
sudo apt install wget -y
Step 3: Creating the Splunk User
Create a dedicated user for running Splunk using the following command:
sudo adduser splunk --disabled-password
Please note that the splunk user will not have a password and will require root privileges to switch into it.
Step 4: Downloading and Extracting Splunk
- Switch to the
/tmpdirectory using the following command:
cd /tmp
- Download Splunk by running the previously copied
wgetcommand. Replace<version>with the specific version you want to install:
wget -O splunk-<version>.tgz "https://download.splunk.com/splunk-<version>.tgz"
- Extract the downloaded Splunk package to the
/optdirectory:
sudo tar -zxvf splunk-<version>.tgz -C /opt
Step 5: Setting Ownership
Change the ownership of the Splunk installation directory to the splunk user:
sudo chown -R splunk: /opt/splunk
Step 6: Starting Splunk
- Switch to the
splunkuser:
sudo su splunk
- Start Splunk by running the following command:
/opt/splunk/bin/splunk start
During the initial startup, you will be prompted to scroll through and accept the license agreement. You’ll also need to create an administrator username and set a password for the user. Keep in mind that some Apps and Technology Add-Ons expect a user named admin to be present in the Splunk installation, so it is common practice to use admin as the first administrator username.
Step 7 (Optional): Configuring Splunk to Start at Boot
If you want Splunk to start automatically on system boot, follow these steps:
- Use the
exitcommand to exit thesplunkuser into your user with root privileges:
exit
- Run the following command to enable Splunk to start at boot, specifying the
splunkuser:
sudo /opt/splunk/bin/splunk enable boot-start -user splunk
Step 8: Accessing the Splunk Web GUI
To access the Splunk Web GUI and continue the configuration, open a web browser and enter the following URL, replacing <IP/Hostname> with the appropriate IP address or hostname of your server:
http://<IP/Hostname>:8000
Next Steps
Once your initial setup is complete, here are some items I would look into completing next:
- Enable Web SSL
- Install some apps:
- Splunk App for Lookup File Editing: Provides GUI interface for editing lookups easily.
- Config Explorer: Allow configs to be verified (btool) and edited from the GUI.
- Splunk Security Essentials: Good place to start for building alets.
- Configure indexes
- Configure
lastchanceindex: Guide in the works - Enable receiving over port
9997 - Acquire and implemented trusted web certificates