In this guide, we will look at getting Splunk set up on Windows using WSL with a free Splunk license. This guide accompanies the video tutorial on my YouTube channel, which you can find here: https://www.youtube.com/watch?v=reuRD_2DbXw.
WSL Setup
WSL (Windows Subsystem for Linux) is a compatibility layer for running Linux binary executables natively on Windows. We will use WSL to run the Linux version of Splunk Enterprise on Windows. We use the Linux version instead of the Windows MSI since most enterprise deployments run on Linux.
Here is a great guide from Microsoft on setting up WSL: https://learn.microsoft.com/en-us/windows/wsl/install.
At a high level, running this command will set up WSL and install Ubuntu on your Windows machine:
wsl --install
Once completed, you should be able to open Ubuntu from the Start Menu and set up your username and password.
Splunk Installation
Visit https://www.splunk.com/en_us/download.html, click “Get My Free Trial” under Splunk Enterprise, login/create an account, and copy the wget command for the latest tgz file from the Linux tab.
Now open Ubuntu, navigate to your /tmp directory, and run the wget command you copied:
cd /tmp
wget -O splunk-<version>-Linux-x86_64.tgz
Extract the tarball to the /opt directory:
tar -xzvf splunk-<version>-Linux-x86_64.tgz -C /opt
Start Splunk, accept the license agreement, and set a password for the admin user:
Note: As mentioned in the video, Splunk allows you to choose any username for the first user. However, many apps expect the user
adminto exist, so I recommend usingadminas the initial user.
/opt/splunk/bin/splunk start
You can access Splunk at http://localhost:8000.
Splunk Licenses
With the initial installation, you get a free 500MB/day license that lasts for 60 days. After that, you can continue to use the free license. Here is some information about the different license types:
Trial License
The trial license is a 60-day license that allows you to use all the features of Splunk Enterprise. The trial license is limited to 500MB/day.
Free License
By visiting Settings > Licensing and clicking on Change License Group, you can switch to the Free license. The free license has more restrictions than the trial license, but it is still limited to 500MB/day. You can read more about the free license here: https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/MoreaboutSplunkFree.
Enterprise License
The enterprise license is a paid license that allows you to ingest more data per day, depending on the license you purchase. It also unlocks all the features of Splunk Enterprise.
Splunk Developer License
The developer license allows you to ingest up to 10GB/day and is valid for 6 months. After 6 months, you can request another license. This license is free and is meant for developers to test their apps and configurations. It unlocks all the features of Splunk Enterprise. If this fits your use case, you can request a developer license here: https://dev.splunk.com/enterprise/dev_license/.
Splunk Test License
The test license is a 6-month license that allows you to ingest up to 50GB/day. This license doesn’t unlock all the features of Splunk Enterprise. You can read more about the test license here: https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html.
Splunk Forwarder License
We didn’t talk about forwarders in this video, but forwarders are used to send data to a Splunk indexer. The forwarder license doesn’t have a data limit, but it only unlocks features required for forwarding data. For example, you can’t index or search data with a forwarder license. This license is free, doesn’t require a license server/file, and never expires. Typically, installing this license on a Splunk Enterprise instance is what “converts” it to a Heavy Forwarder. Splunk’s Universal Forwarder ships with the forwarder license by default.